[Bro] Creating new Val() in multi-threaded bro

Yuppie yuppie4ever at gmail.com
Tue Apr 24 07:57:08 PDT 2007 

On 4/24/07, Christian Kreibich <christian at whoop.org> wrote:
> There are surely many places in the code in which static variables may
> collide with multi-threaded operation. There will also be a number of
> synchronization issues. The real question is what you are actually
> trying to achieve, so you can adjust the architecture to run the
> relevant tasks in separate threads. This may be non-trivial. That said,
> it would clearly be interesting to parallelize the operation of
> individual analyzers, for example.

I'm playing with the idea of remotely controlling Bro
operation/configuration. Sorry, I'm not interested in Broccoli as that
is a non-standard interface. For that I'm creating a separate thread
that accepts SOAP messages and controls Bro on-the-fly. I could really
do it as a single thread, but it's cleaner the other way.
I'm curious though, if the broccoli interface/api is a binary or a text one!

Your idea of parallelizing the various analyzers is something I have
considered. Really, it'll only make sense parallelizing the analyzers
on a single packet. Analyzing multiple packets at the same instant
would create synchronization problems of their own sort. What if the
analysis of second packet ends up finishing before the first though it
was dependent on the first? This is true not just for packets from
same connection. Distinct connections may be related too and may need
synchronous processing.

Talking of analyzing single packets (at an instant) using multiple
analyzers, don't know how beneficial that is really. Can't think of
too many cases where this is helpful. Especially, even in these cases,
after analyzing the first packet, mostly only a single analyzer
remains interested. And from what I know, subsequent packets belonging
to the same connection can re-use the analyzer information stored in
the connection entry.

Having said that, parallelizing Event dispatches would be interesting,
since there's no guarantee of order in Event Handler execution for a
given event anyways.

cheers
-y

More information about the Bro mailing list