[Snort-users] Snort as Gigabit Sensor

Chris Green cmg at ...1935...
Thu Jul 31 09:30:08 EDT 2003

Frank Knobbe <frank at ...9761...> writes:

> heh... now you sparked my interest. What exactly "didn't work" in
> threading Snort? 

At some point around 1.8, it didn't work. Namely, --enable-pthreads
resulted in a non working build. Full instances of snort were
basically spawned off for each thread.  Now, reconciling that with
making the rest of snort thread safe once snort started keeping state
takes a lot of work.  There's a lot of global's and static that would
need lots of spinlocks.  

> Looking at the current source, I still see the function
> "InterfaceThread", but no use of pthread as it was in Snort 1.9
> (just grepping at the moment)

That one thread is the snort process.

> . Running the packet capture per interface in separate threads was a
> good idea (I haven't tried it myself though). And the code didn't
> seem that much more complex either.

That gave the detection engine the threading capabilty of

 snort1 -c snort1.conf -i eth0 &
 snort2 -c snort1.conf -i eth1 &
 snort3 -c snort1.conf -i eth2 &

The latter process is more flexible and just as good as snort doing
that spin for you.
