Snort mailing list archives
Re: Updated IP Blacklisting patch (version 2)
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 7 Jul 2009 20:02:53 -0400
On Tue, Jul 7, 2009 at 4:58 PM, Eoin Miller<eoin.miller () trojanedbinaries com> wrote:
Yeaup, that was 15% more total utilization for that core. Snort was using ~35% of a core to monitor ~450Mbit/s of traffic. After adding the second pointer dereference it was using ~50% of a core to monitor the same amount of traffic. FYI, this test snort instance has no rules loaded and is using Phil Wood's MMAP'd libpcap with a 1GigaByte buffer of system RAM. If you look at the cpu.png file (http://trojanedbinaries.com/security/snort/cpu.png) you can see the spike in the green line (system%) and the dip in the blue line (idle%) @ 16:00. That was when snort was relaunched with the double pointer derefrence in the call to the SnortEventqAdd function: SnortEventqAdd(GENERATOR_SPP_IPLIST, (int)pn->data, 1, 0, 0, list_names[(int)pn->data], 0); But if you notice the dip in the green line and rise in the blue line from 16:40-16:50, that was when I was running recompiled with the single derefrence: foo = (int)pn->data; SnortEventqAdd(GENERATOR_SPP_IPLIST, foo, 1, 0, 0, list_names[foo], 0); Tried your new first function you posted and the results appear the same. Good deal less processor utilization and no more packet loss and your new function makes more sense for those using the whitelisting functionality. Tried to use the fancy free way with the goto's, but gcc got all whiny about something.
Might work better if I actually tried to compile the thing instead of just banging it in in gmail. Try this one: =============== void IpListEval(Packet *p, void *conext) { struct addr saddr; struct addr daddr; s_ptrie_node_t *pn = NULL; int bl_ref = 0; if(!IsIP(p)) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, " -> spp_iplist: Not IP\n");); return; } if(((IsTCP(p) && p->tcph->th_flags & TH_SYN)) || (IsUDP(p)) || (IsICMP(p))) { addr_pack(&saddr, ADDR_TYPE_IP, IP_ADDR_BITS, &p->iph->ip_src, IP_ADDR_LEN); addr_pack(&daddr, ADDR_TYPE_IP, IP_ADDR_BITS, &p->iph->ip_dst, IP_ADDR_LEN); if(ip_whitelist) { if(s_ptrie_find_entry_byaddr(ip_whitelist, &saddr) || s_ptrie_find_entry_byaddr(ip_whitelist, &daddr)) { /* let's bail, should probably set do_detect to 0 too... */ return; } } if(ip_blacklist) { if((pn = s_ptrie_find_entry_byaddr(ip_blacklist, &saddr))) { bl_ref = (int)pn->data; goto bl_detect; } else if((pn = s_ptrie_find_entry_byaddr(ip_blacklist, &daddr))) { bl_ref = (int)pn->data; goto bl_detect; } goto bl_done; bl_detect: if(!noalerts) SnortEventqAdd(GENERATOR_SPP_IPLIST, bl_ref, 1, 0, 0, list_names[bl_ref], 0); if(!nodrops && InlineMode()) InlineDrop(p); } } bl_done: return; } =============== -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 06)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 06)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 10)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 06)