[Snort-users] 2.9.0.1 performance issue

Russ Combs rcombs at ...1935...
Thu Nov 18 10:10:18 EST 2010


Thanks for the detailed report.  We are looking into it.

Russ

On Thu, Nov 18, 2010 at 4:05 AM, Frank Eberle <himself at ...15051...>wrote:

> Hello,
>
> recently I've updated a already running installation from 2.9.0 to
> 2.9.0.1. Before the update CPU load was about 30%. After a while I've
> recognized, that the snort process took 100% CPU time.
>
> I've compiled snort with performance profiler support to analyse the
> problem. I've seen that rule 17468 was the most busy rule with 2.9.0.1
> and in the preproc stats 'pcre' took much more time than with 2.9.0.
>
> After tweaking the config file for some time, I've found out that when
> setting the parameter http_inspect_server / server_flow_depth to -1 the
> CPU usage of 2.9.0 and 2.9.0.1 was nearly equal. When setting the
> parameter to 0 or any value greater than 0, I've seen the performance
> issue again.
>
> Then I've examined the source code (especially the code of http_inspect)
> and in my opinion the behaviour of the server_flow_depth changed
> completely. With 2.9.0 a value > 0 limited the inspection of the entire
> HTTP response (including the body). Now with 2.9.0.1 only the first
> response packet of the header is limited. All following response packets
> are examined. This leads to my observed performance issue. Rule 17468
> examines HTTP responses. The content match (content:"http|3A|") is not
> very significant so the pcre test is called very often which leads to
> the bad performance.
>
> Has anybody recognized similar performance issues, or does anybody know
> why the http_inspect code was changed in this way (when reading the
> comment in the changelog, the comment in the source code and the
> documentation I'm thinking that this behaviour is a bug).
>
> Regards
>
> Frank
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101118/b0f7bb14/attachment.html>


More information about the Snort-users mailing list