Multi-process Snort

Little bit about SNORT:

Snort IDS/IPS is an Intrusion Detection/Intrusion Protection system. In intrusion detection mode Snort sniffs on your network to detect for threats whereas in Intrusion Protection mode i.e. Inline Snort mode, Snort tunnels all your network traffic through it and drops "bad packets" thereby protecting your network from intrusion. Snort has highly supported, with updates from Sourcefire every now and then.

Snort is highly customizable and takes custom rules that it searches for while detecting intrusion on your network. The rule-set is both free and and paid available from Sourcefire (VRT rules) as well as Emerging threats (ET). Snort is capable of logging data in various formats including flat files (log files), syslog, mysql /mssql/postgre etc databases as well as snort's unified and unified2 formats (FYI it's a well known fact that unified and unified2 formats are the fastest way Snort can log. Why? because DB connection has connection latency). I will cover more about Unified and Unified2 formats in a blog post some day (describing my experiences with Snort Unified format as well)

Multi-threading Snort:
THE NEED:

Snort by default is single threaded and being one of the most used IDS in the community it is really critical to have it multi-threaded or make it run such that it can take advantage of a multi-core cpu/ multi-processor server. The biggest problem in doing so is: "ITS A HERCULEAN TASK" what I mean by that is : Snort has been developed over 10 years now and multi-threading it requires complete redesign of some of the really critical components including the preprocessor and the detection engine inside Snort. Average code files in Snort are 2-5K lines all written in C moreover there is no real motivation from Sourcefire to do it because Sourcefire IDS servers cost around $25K and helps it make a huge sum of money.
Also for most deployments using multiple monitoring ports or physically dividing your network traffic by source and using a monitor port on each of your network switches addresses the issue. You can take a tap at each subnet you would like to monitor and use a separate NIC to make a Snort instance listen to that interface thereby making is multi-threaded or rather multi-process.

(to be continued.......)