Re: Updated IP Blacklisting patch (version 2)

[Martin Roesch <roesch () sourcefire com>]

On Tue, Jul 7, 2009 at 4:58 PM, Eoin
Miller<eoin.miller () trojanedbinaries com> wrote:
> Yeaup, that was 15% more total utilization for that core. Snort was
> using ~35% of a core to monitor ~450Mbit/s of traffic. After adding the
> second pointer dereference it was using ~50% of a core to monitor the
> same amount of traffic. FYI, this test snort instance has no rules
> loaded and is using Phil Wood's MMAP'd libpcap with a 1GigaByte buffer
> of system RAM.
>
> If you look at the cpu.png file
> (http://trojanedbinaries.com/security/snort/cpu.png) you can see the
> spike in the green line (system%) and the dip in the blue line (idle%) @
> 16:00. That was when snort was relaunched with the double pointer
> derefrence in the call to the SnortEventqAdd function:
>
> SnortEventqAdd(GENERATOR_SPP_IPLIST, (int)pn->data, 1, 0, 0,
> list_names[(int)pn->data], 0);
>
> But if you notice the dip in the green line and rise in the blue line
> from 16:40-16:50, that was when I was running recompiled with the single
> derefrence:
>
> foo = (int)pn->data;
> SnortEventqAdd(GENERATOR_SPP_IPLIST, foo, 1, 0, 0, list_names[foo], 0);
>
> Tried your new first function you posted and the results appear the
> same. Good deal less processor utilization and no more packet loss and
> your new function makes more sense for those using the whitelisting
> functionality. Tried to use the fancy free way with the goto's, but gcc
> got all whiny about something.


Might work better if I actually tried to compile the thing instead of
just banging it in in gmail.  Try this one:

===============

void IpListEval(Packet *p, void *conext)
{
    struct addr saddr;
    struct addr daddr;
    s_ptrie_node_t *pn = NULL;
    int bl_ref = 0;

    if(!IsIP(p))
    {
        DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,
                                "   -> spp_iplist: Not IP\n"););
        return;
    }

    if(((IsTCP(p) && p->tcph->th_flags & TH_SYN)) ||
       (IsUDP(p)) || (IsICMP(p)))
    {
        addr_pack(&saddr, ADDR_TYPE_IP, IP_ADDR_BITS, &p->iph->ip_src,
                  IP_ADDR_LEN);

        addr_pack(&daddr, ADDR_TYPE_IP, IP_ADDR_BITS, &p->iph->ip_dst,
                  IP_ADDR_LEN);

        if(ip_whitelist)
        {
            if(s_ptrie_find_entry_byaddr(ip_whitelist, &saddr) ||
               s_ptrie_find_entry_byaddr(ip_whitelist, &daddr))
            {
                /* let's bail, should probably set do_detect to 0 too... */
                return;
            }
        }

        if(ip_blacklist)
        {
            if((pn = s_ptrie_find_entry_byaddr(ip_blacklist, &saddr)))
            {
                bl_ref = (int)pn->data;
                goto bl_detect;
            }
            else if((pn =  s_ptrie_find_entry_byaddr(ip_blacklist, &daddr)))
            {
                bl_ref = (int)pn->data;
                goto bl_detect;
            }

            goto bl_done;

bl_detect:
            if(!noalerts)
                SnortEventqAdd(GENERATOR_SPP_IPLIST, bl_ref, 1, 0, 0,
                               list_names[bl_ref], 0);
            if(!nodrops && InlineMode())
                InlineDrop(p);
        }
    }

bl_done:
    return;
}

===============


-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users