[Snort-users] 2.9.0.1 performance issue

Frank Eberle himself at ...15051...
Thu Nov 18 04:05:27 EST 2010


Hello,

recently I've updated a already running installation from 2.9.0 to 
2.9.0.1. Before the update CPU load was about 30%. After a while I've 
recognized, that the snort process took 100% CPU time.

I've compiled snort with performance profiler support to analyse the 
problem. I've seen that rule 17468 was the most busy rule with 2.9.0.1 
and in the preproc stats 'pcre' took much more time than with 2.9.0.

After tweaking the config file for some time, I've found out that when 
setting the parameter http_inspect_server / server_flow_depth to -1 the 
CPU usage of 2.9.0 and 2.9.0.1 was nearly equal. When setting the 
parameter to 0 or any value greater than 0, I've seen the performance 
issue again.

Then I've examined the source code (especially the code of http_inspect) 
and in my opinion the behaviour of the server_flow_depth changed 
completely. With 2.9.0 a value > 0 limited the inspection of the entire 
HTTP response (including the body). Now with 2.9.0.1 only the first 
response packet of the header is limited. All following response packets 
are examined. This leads to my observed performance issue. Rule 17468 
examines HTTP responses. The content match (content:"http|3A|") is not 
very significant so the pcre test is called very often which leads to 
the bad performance.

Has anybody recognized similar performance issues, or does anybody know 
why the http_inspect code was changed in this way (when reading the 
comment in the changelog, the comment in the source code and the 
documentation I'm thinking that this behaviour is a bug).

Regards

Frank




More information about the Snort-users mailing list