[Snort-devel] performance: CheckDstIp

Christian Mock cm at ...1206...
Tue Mar 19 09:56:15 EST 2002


Hi,

while profiling snort, I found an interesting fact today: CheckDstIp is 
number one in the profiling chart.

This is snort 1.8.4, which in this configuration (8 CIDR blocks as $HOME_NET
plus about 1000 rules) manages to use all CPU on a celeron/900 box with
only 4 MBits of monitored network traffic (1000 packets/sec).

Weeding out some unused networks from $HOME_NET brought the list down to
4 CIDR blocks and CheckDstIp to 52% of the total run time.

I certainly would have expected the pattern matching functions and the
more complex plugins to be at the top of the profile output...

What I tried now is to swap the order of the PortToFunc and AddrToFunc calls
in SetupRTNFuncList, because CheckDstPortEqual seems to be a much cheaper
function call than CheckDstIp, even if we divide the "self" number above
by eight. A new profiling run with the modified binary shows it's getting
much faster:

  %   cumulative   self              self     total           
 time   seconds   seconds    calls  ns/call  ns/call  name    
 52.50     38.91    38.91  1218453 31933.94 57457.28  EvalHeader
 15.58     50.46    11.55 92637885   124.68   219.31  CheckDstPortEqual
 14.54     61.24    10.78 16626020   648.38   652.21  CheckDstIP
  2.90     63.39     2.15  4878184   440.74  1414.50  EvalOpts
  1.61     64.58     1.19  2329266   510.89   528.53  mSearchCI
  1.57     65.74     1.16   940077  1233.94  1269.23  mSearch
  1.27     66.68     0.94  3589444   261.88   267.45  CheckTcpFlags

before:

  %   cumulative   self              self     total           
 time   seconds   seconds    calls  us/call  us/call  name    
 52.50     67.82    67.82 91527881     0.74     0.76  CheckDstIP
 31.35    108.32    40.50  1205366    33.60   104.07  EvalHeader
  3.20    112.45     4.13  5265545     0.78     0.81  CheckSrcIP
  2.31    115.44     2.99  2740799     1.09     1.10  mSearchCI
  2.14    118.20     2.76  5972546     0.46     1.81  EvalOpts
  1.73    120.43     2.23  1217589     1.83     1.84  mSearch
  0.99    121.71     1.28 48323442     0.03     0.03  CheckDstPortEqual

total CPU time is 130 vs. 75 seconds (note that both profiling runs were
taken "off the network", i.e. conditions are not completely equal).

Now the interesting question is: is the change I made (patch is below)
valid, or does it break something? I don't grok the snort code enough
to judge this...

ciao,

cm.

--- diff ---

Index: rules.c
===================================================================
RCS file: /data/cvs/projects/appliance/software/src/snort/rules.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 rules.c
*** rules.c	2002/03/19 12:40:46	1.1.1.2
--- rules.c	2002/03/19 17:35:40
***************
*** 984,1000 ****
      }
      else
      {
-         /* link in the proper IP address detection function */
-         /*
-          * the in-line "if" determines whether or not the negation operator
-          * has been set for this rule and tells the AddrToFunc call which
-          * function it should be linking in
-          */
-         AddrToFunc(rtn, SRC);
- 
-         /* last verse, same as the first (but for dest IP) ;) */
-         AddrToFunc(rtn, DST);
- 
          /* Attach the proper port checking function to the function list */
          /*
           * the in-line "if's" check to see if the "any" or "not" flags have
--- 984,989 ----
***************
*** 1007,1012 ****
--- 996,1012 ----
          /* as above */
          PortToFunc(rtn, (rtn->flags & ANY_DST_PORT ? 1 : 0),
                     (rtn->flags & EXCEPT_DST_PORT ? 1 : 0), DST);
+ 
+         /* link in the proper IP address detection function */
+         /*
+          * the in-line "if" determines whether or not the negation operator
+          * has been set for this rule and tells the AddrToFunc call which
+          * function it should be linking in
+          */
+         AddrToFunc(rtn, SRC);
+ 
+         /* last verse, same as the first (but for dest IP) ;) */
+         AddrToFunc(rtn, DST);
      }
  
  #ifdef DEBUG

--- /diff ---

-- 
Christian Mock                          Wiedner Hauptstrasse 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273




More information about the Snort-devel mailing list