[Snort-devel] Possible issues with SSl Preprocessor?

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2499...
Fri Aug 5 09:56:12 EDT 2011


Hello.  I have what may be a issue with the SSL pre-processor
consuming processors cycles for encrypted traffic.  The Snort is
2.9.0.5.

In my snort.conf I have the following line:

preprocessor ssl: noinspect_encrypted

When I start snort I run this:

# snort -c /etc/snort/snort.conf -u pcap -D -k none --daq afpacket -b
-i eth0 "port 443"

Most of alls the traffic this should see is SSL and it should not be
inspected after the snort determines it is SSL due to the 4-way
handshake.
HOWEVER, this process is consuming 75-100% of my processor.   I
thought once the snort realized it was SSl (encrypted), it would not
enspect that stream anymore.  But then why so much processor usage?
Yes there is a lot of SSL traffic but just looking at 7 packets per
stream (maybe a few more depending on fragmentation, window size, and
PSH flags, etc.) does not seem logical to me to use so much of the
CPU.

Thank you for any insights.

-L0rd C.




More information about the Snort-devel mailing list