Snort 3 system architecture
In this section, we will examine how the various key components link to each other and interact to form the Snort 3 system. We will also examine the typical flow of packet processing and the multithreaded approach that is new in Snort 3.
Multithreading
This is one of the critical changes in Snort 3. Based on the number of CPU cores available, the Snort threads are created. The supporting DAQ modules split the network traffic and provide the packets to each Snort thread as required. (The DAQ module may employ techniques such as flow pinning and six-tuple hashing for this purpose.)
Figure 3.2 – A system with a single Snort process and three processing threads
Figure 3.2 shows a system with a single Snort process and three processing threads. All the threads share the config memory; there is no memory duplication.
In the next section, we will look at the packet flow within each Snort thread.
