[Snort-users] 220.127.116.11 performance issue
himself at ...15051...
Thu Nov 18 04:05:27 EST 2010
recently I've updated a already running installation from 2.9.0 to
18.104.22.168. Before the update CPU load was about 30%. After a while I've
recognized, that the snort process took 100% CPU time.
I've compiled snort with performance profiler support to analyse the
problem. I've seen that rule 17468 was the most busy rule with 22.214.171.124
and in the preproc stats 'pcre' took much more time than with 2.9.0.
After tweaking the config file for some time, I've found out that when
setting the parameter http_inspect_server / server_flow_depth to -1 the
CPU usage of 2.9.0 and 126.96.36.199 was nearly equal. When setting the
parameter to 0 or any value greater than 0, I've seen the performance
Then I've examined the source code (especially the code of http_inspect)
and in my opinion the behaviour of the server_flow_depth changed
completely. With 2.9.0 a value > 0 limited the inspection of the entire
HTTP response (including the body). Now with 188.8.131.52 only the first
response packet of the header is limited. All following response packets
are examined. This leads to my observed performance issue. Rule 17468
examines HTTP responses. The content match (content:"http|3A|") is not
very significant so the pcre test is called very often which leads to
the bad performance.
Has anybody recognized similar performance issues, or does anybody know
why the http_inspect code was changed in this way (when reading the
comment in the changelog, the comment in the source code and the
documentation I'm thinking that this behaviour is a bug).
More information about the Snort-users