Things that my poor brain cannot understand…

Here, I read an Intel whitepaper about how one can improve the performance of Snort (or an IDS system) using Intel multi-core architecture. I recommend you to read that whitepaper, it`s full of nice ideas about distributing the packet capture and the other steps like decoding, pattern matching, etc over different CPU cores and taking advantage of large L2 cache for expensive pattern matching operations.

Now the part that I cannot understand: Snort does not have multi-core, multi-thread support… In the whitepaper Intel says that they modified the code so that it runs multi threads.

The Snort application was modified to run multiple threads and to pin flows to execution cores.

My questions are: Does Intel care to share this code with snort community? So that we can improve our snort sensors, and tend to buy more Intel CPUs? Is sourcefire aware of this (I`m sure they are) and were they involved on “modifying snort to run multi threads”? I want to know this cause my snort box is choking under the load of a gigabit traffic!

It looks like snort will have multi thread support in the next major version 3.0. But I couldn`t see much in snort cvs about this. Either the new version is developed somewhere behind the doors (the code is not ready for public yet!), or it`s still is an idea.

Snort being day after day “commercialized”, the dirty nessus example, not having a similar product in the market as good as snort and nessus, makes me worry everyday about the future of free security products… :