[Snort-users] Snort on a parallel machine?

James Hoagland hoagland at ...47...
Mon Mar 19 15:18:05 EST 2001


At 10:33 AM -0800 3/19/01, John Kiehnle wrote:
>Someone else is peeling my exact question... right to the core. Over the next
>several years as bigger pipes, wireless networks, 64bit busses, greater
>automation and new tools are developed to exploit vulnerabilities, It seems we
>are eventually going to arrive at that critical mass where a single processor
>snort IDS will not do the job. Things like Statistical Packet Anomaly
>Detection, and their corresponding correlation engines, (thank you brothers in
>arms at Silicon Defense) will put even our beefy snort boxes on their knees.
>Some packet flood tools already seem to be able to overwhelm some "other"
>vendor IDSs. ; )

Your welcome.  FYI, the initial implementation of the SPICE 
correlator has been designed as multi-threaded from the beginning 
(with, unfortunately, the usual increase in testing and debugging 
difficulty).

>My questions are;
>
>is there any "parallelness" inherent in the snort IDS which lends itself to
>being re-tooled to take advantage of a parallel machine?

I can't speak to the rest of Snort, but I don't see any reason why 
Spade couldn't be run in parallel with the code to check a packet 
against rules.

Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|




More information about the Snort-users mailing list