[Snort-users] Snort 3.0 Beta 3 is available.

Martin Roesch roesch at ...1935...
Wed Apr 1 16:17:22 EDT 2009

Go get it here:




* Updated snort analytic to

* Added dynamic-plugins/sf_engine/examples/ and tweaked sspiffy.sh to handle SO

* Hardened PORTLISTS code.

* Fixed load balancing bug in framework.

* Better integration of the Snort analytic with the framework.  Packet decoding
  and flow computation are now done solely by the framework.

* Added more options to sspiffy.sh.

* Added single threaded mode (configure --enable-single-threaded).  More on
  this below.

* Reduced thread local storage (TLS) accesses.

* Changed shared objects to use hidden visibility by default to reduce
  translation overhead.

The SnortSP architecture was designed to be as flexible as possible to obtain
the best performance for your security software on any given platform.  In this
3rd Beta release, you can build SnortSP in two basic ways:

* Multithreaded mode (original):  this is the default.  In this mode the core
  functions like packet acquisition, decoding, and flowing are peformed by the
  framework in one thread and the analytics perform detection in their own
  separate threads.

* Single-threaded mode (new):  this is enabled by configure
  --enable-single-threaded.  In this mode, the framework and analytics are
  "stacked" up to run sequentially in the same thread.  You can even configure
  multiple stacks to run in parallel.

In either mode, you can pin the engine and analytics to specific
processors on multicore systems.

That's the basics.  I'll be doing a more extensive posting to cover
the architectural changes shortly.

Thanks to the Snort Team and everyone at Sourcefire who helped get
this one out the door!


Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

More information about the Snort-users mailing list