Snort3 Package Status Update



  • Just FYI to Snort users on pfSense. I've started working on the first Snort3 GUI package this week. It's going to take me some time to make the necessary changes. Snort3 uses a quite different configuration file as compared to Snort 2.9.x. The new file is a LUA file, and many of the old Snort 2.9.x parameter names have changed and several parameters have been deleted entirely. So updating the Snort GUI package and creating a suitable migration script is going to take me a while, but I did want to report that I am working on it.

    Snort3 was formerly known as Snort++. The new binary is written in C++; and as I said, makes use of LUA scripting for the configuration. It also provides JSON logging options for all of you that want to export Snort logs to something like an ELK stack or any other JSON consumer.

    I will try and keep some updates of my progress posted here.

    Bill



  • I am making slow but steady progress on the Snort3 package. I'm probably about 40% complete. When you get into it, there are quite a few changes required to the configuration file when moving from Snort 2.9.x to Snort3.



  • does this version support multithreading ?



  • @Actionhenk said in Snort3 Package Status Update:

    does this version support multithreading ?

    Yes, Snort3 is multithreaded. But don't expect a huge performance gain from that. Suricata is multithreaded, and in several independent tests I've seen posted on the web in the past where it was compared with the current single-threaded Snort 2.x, there was not a lot of difference in packet throughput. Even multithreaded applications still have some bottleneck points where things have to come back down to a single thread.

    While multithreaded is not a bad thing, and it can help in some situations, I just don't think it is the quite the "super thing" that some folks think it is.


Log in to reply