Snort mailing list archives
Re: Stream4 and other stuff
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 29 Jun 2001 16:25:01 -0400
Ok, one thing that I've found to be helpful lately is to turn off shellcode.rules, it seems to be giving us a pretty heavy impact on performance lately. I'm not really sure where the other slowdowns are coming though, I've been doing some profiling lately and it appears that Snort is spending lots of time in the pattern matcher (especially with shellcode.rules enabled) and that's causing problems. I don't think that stream4 is the overall cause of the packet loss, but I'm not sure where it's coming from at this time. My suggestion would be to start disabling various Snort plugins and rules files to see where the performance hit is coming from and to report from there once you have. I'm very interested in this data as well, since I don't have a highly utilized network to test on it's really difficult to test the performance of the system lately. One thing that I have found puzzling lately is that it almost appears as if the performance of the pattern matcher has gone *down*, which isn't at all right. Printing sip:port->dip:port in the fishy TWH message shouldn't be a problem. If you want to activate profiling to see where you're taking your big performance hits, compile Snort with the -gp switch in the Makefile, run the program, then run "gprof snort snort.gmon" to get a dump of the performance profile of the functions within Snort. I don't know what "Heisenburg factor" should be applied to the results, but it's a good place to start working the problem anyway. -Marty Phil Wood wrote:
Marty, I'm getting extreme packet loss using Version 1.8-beta8 (Build 33). Snort received 242899 packets and dropped 3692706(93.828%) packets Breakdown by protocol: Action Stats: TCP: 233890 (5.943%) ALERTS: 203 UDP: 7435 (0.189%) LOGGED: 203 ICMP: 762 (0.019%) PASSED: 4900 ARP: 0 (0.000%) IPv6: 0 (0.000%) Running a tcpdump is clean (at a different time but with similar load), no packets dropped. LogMessage was called 9058 times prior to this with the message WARNING: Fishy TWH from client! Is there a way to identify the fishy client with some S:s->D:d in the message. I'm running these preprocessors: preprocessor defrag preprocessor stream4 preprocessor stream4_reassemble preprocessor unidecode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $INTERNAL 5 3 $LOG/$SCAN preprocessor portscan-ignorehosts: $IGNOREHOSTS Thanks, -- Phil Wood, cpw () lanl gov
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Stream4 and other stuff, (continued)
- Re: Stream4 and other stuff Matthew Collins (Jun 29)
- RE: Stream4 and other stuff Mayers, Philip J (Jun 29)
- Re: Stream4 and other stuff Martin Roesch (Jun 29)
- RE: Stream4 and other stuff Mayers, Philip J (Jun 29)
- RE: Stream4 and other stuff Thomas Nilsen (Jun 29)
- RE: Stream4 and other stuff Mayers, Philip J (Jun 29)
- Re: Stream4 and other stuff Martin Roesch (Jun 29)
- Re: Stream4 and other stuff Phil Wood (Jun 29)
- Re: Stream4 and other stuff Martin Roesch (Jun 29)
- Re: Stream4 and other stuff Phil Wood (Jun 29)
- Re: Stream4 and other stuff Martin Roesch (Jun 29)
- Re: Stream4 and other stuff Martin Roesch (Jun 29)