[Snort-devel] [Snort-users] 2.9.0.1 performance issue

matan monitz mmonitz at ...2499...
Thu Nov 18 11:09:03 EST 2010


sounds related to the http_inspect\stream reassembly bugfix

On Thu, Nov 18, 2010 at 4:31 PM, Matt Olney <molney at ...402...> wrote:

> Hi Frank!
>
> Copying the devel list so the Snort team will see this.
>
> Matt
> VRT
>
> On Thu, Nov 18, 2010 at 4:05 AM, Frank Eberle <himself at ...3127...>wrote:
>
>> Hello,
>>
>> recently I've updated a already running installation from 2.9.0 to
>> 2.9.0.1. Before the update CPU load was about 30%. After a while I've
>> recognized, that the snort process took 100% CPU time.
>>
>> I've compiled snort with performance profiler support to analyse the
>> problem. I've seen that rule 17468 was the most busy rule with 2.9.0.1
>> and in the preproc stats 'pcre' took much more time than with 2.9.0.
>>
>> After tweaking the config file for some time, I've found out that when
>> setting the parameter http_inspect_server / server_flow_depth to -1 the
>> CPU usage of 2.9.0 and 2.9.0.1 was nearly equal. When setting the
>> parameter to 0 or any value greater than 0, I've seen the performance
>> issue again.
>>
>> Then I've examined the source code (especially the code of http_inspect)
>> and in my opinion the behaviour of the server_flow_depth changed
>> completely. With 2.9.0 a value > 0 limited the inspection of the entire
>> HTTP response (including the body). Now with 2.9.0.1 only the first
>> response packet of the header is limited. All following response packets
>> are examined. This leads to my observed performance issue. Rule 17468
>> examines HTTP responses. The content match (content:"http|3A|") is not
>> very significant so the pcre test is called very often which leads to
>> the bad performance.
>>
>> Has anybody recognized similar performance issues, or does anybody know
>> why the http_inspect code was changed in this way (when reading the
>> comment in the changelog, the comment in the source code and the
>> documentation I'm thinking that this behaviour is a bug).
>>
>> Regards
>>
>> Frank
>>
>>
>> ------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>> Spend less time writing and  rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today
>> http://p.sf.net/sfu/msIE9-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20101118/ca64ced4/attachment.html>


More information about the Snort-devel mailing list