[Snort-users] flowbits performance hit?

sekure sekure at ...11827...
Tue Oct 5 06:01:14 EDT 2004


Greetings,

This morning I came in to find over 450 "JPEG parser multipacket heap
overflow" alerts (sid:2707), from a single conversation last night. 
It's clearly a false positive, but i helped me identify a few problems
with my setup, and I was hoping for some assistance with this one:

I am running a fairly beefy box with Intel quad server PCI-X card and
Phil Wood's modified libpcap, logging fast alerts to a text file and
also writing a unified log for processing with barnyard.  Never had an
issue with dropped packets, handling up to 30Mbps in some cases, until
last night that is.  As soon as these alerts started coming, the
dropped packets jumped, up to 17% in one case.  The CPU shot up to
around 20% also, the highest i've ever seen it .  The throughput at
the time was 1Mbps, so I know it isn't the capture/libpcap that's the
problem.  Here are a few lines from snort.stats, including the few
lines before this happened:

1096935943,0.000,0.5,0.0,0.1,845,26.69,1.4,1.4,2.7,2.6,122,379,19.5,0,11,0.0,0.0,0.0,0.0,0,0,0.5,0.1,99.4
1096936258,0.000,0.8,0.0,0.2,772,59.91,2.7,1.1,2.6,2.6,108,379,15.5,0,10,0.0,0.0,0.0,0.0,0,0,2.7,0.1,97.3
1096936572,17.124,1.0,0.1,0.2,796,73.36,0.8,0.8,2.1,2.1,117,379,10.1,0,10,0.0,0.0,0.0,0.0,0,0,26.2,0.1,73.7
1096936894,0.000,1.2,0.0,0.2,798,75.49,2.4,0.8,2.1,2.2,81,379,9.6,0,11,0.0,0.0,0.0,0.0,0,0,4.5,0.1,95.4
1096937223,4.562,1.1,0.0,0.2,830,69.63,1.4,1.3,2.7,2.6,125,379,14.5,0,10,0.0,0.0,0.0,0.0,0,0,9.7,0.1,90.2
1096937537,2.043,1.2,0.1,0.2,761,70.20,3.1,1.4,2.9,2.9,138,379,16.4,0,10,0.0,0.0,0.0,0.0,0,0,13.4,0.1,86.5
1096937888,9.142,1.2,0.0,0.2,859,71.16,1.3,1.2,2.6,2.7,103,379,17.6,0,11,0.0,0.0,0.0,0.0,0,0,19.9,0.1,80.0

Can this possibly be related to flowbits, since this rule uses them? 
This is a wild speculation of course, but I don't know what else to
attribute this to.  Or can the fact that I am logging fast alert to a
text file really be that much of a performance hit?

Any ideas?




More information about the Snort-users mailing list