[Snort-users] http_inspect preprocessor and Snort sensor performance

Humes, David G. David.Humes at ...383...
Wed May 21 16:53:42 EDT 2008

I have been running the perfmon preprocessor for a few years now and
graphing the results using the pmgraph.pl script.  So, when I make any
changes it's easy to see if they have a negative overall impact on the
sensor by monitoring the drop rate, cpu stats, etc.  I noticed that sensor's
drop rate increases significantly if the http_inspect preprocessor is NOT
running.  If I comment out all of the http_inspect lines in snort.conf and
restart snort, the drop rate jumps up to around 30%.  When I enable
http_inspect, the drop rate hovers around 1-2%, more than I would like, but
that's a problem for another day.  This result is somewhat
counter-intuitive.  It would seem that snort has to do more work to inspect
HTTP traffic, which could result in an increased drop rate in a sensor that
is near it's maximum capability.  
I tried adjusting the flow_depth setting for http_inspect since I know it
can have a significant impact on performance.  If I set flow_depth to 0
(Inspect all server-side traffic), then I get the same result as disabling
http_inspect, i.e. the drop rate goes way up.  If I set it to -1 (Ignore all
server-side traffic), then the drop rate remains at a favorable level.
Setting it to 300 (the default) also results in favorable performance.  So,
from this one might conclude that disabling http_inspect by commenting out
all of it's configuration lines in snort.conf does not really disable it,
but only invokes some default, suboptimal configuration.  Or, maybe the
extra work done by http_inspect is offset by a diminished workload in the
rules engine.  Hopefully someone who knows a lot more about snort than me
can explain this behavior.  We are running snort  But, I have seen
this behavior as far back as 2.4.  
Dave Humes 
Johns Hopkins University Applied Physics Laboratory 
Telecommunications Group (ITC) 
david.humes at ...383... 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080521/76e5030c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3239 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080521/76e5030c/attachment.bin>

More information about the Snort-users mailing list