Snort mailing list archives
Re: Updated IP Blacklisting patch (version 2)
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 09 Jul 2009 09:34:31 -0400
Martin Roesch wrote:
On Tue, Jul 7, 2009 at 4:58 PM, Eoin Miller<eoin.miller () trojanedbinaries com> wrote:Yeaup, that was 15% more total utilization for that core. Snort was using ~35% of a core to monitor ~450Mbit/s of traffic. After adding the second pointer dereference it was using ~50% of a core to monitor the same amount of traffic. FYI, this test snort instance has no rules loaded and is using Phil Wood's MMAP'd libpcap with a 1GigaByte buffer of system RAM. If you look at the cpu.png file (http://trojanedbinaries.com/security/snort/cpu.png) you can see the spike in the green line (system%) and the dip in the blue line (idle%) @ 16:00. That was when snort was relaunched with the double pointer derefrence in the call to the SnortEventqAdd function: SnortEventqAdd(GENERATOR_SPP_IPLIST, (int)pn->data, 1, 0, 0, list_names[(int)pn->data], 0); But if you notice the dip in the green line and rise in the blue line from 16:40-16:50, that was when I was running recompiled with the single derefrence: foo = (int)pn->data; SnortEventqAdd(GENERATOR_SPP_IPLIST, foo, 1, 0, 0, list_names[foo], 0); Tried your new first function you posted and the results appear the same. Good deal less processor utilization and no more packet loss and your new function makes more sense for those using the whitelisting functionality. Tried to use the fancy free way with the goto's, but gcc got all whiny about something.Might work better if I actually tried to compile the thing instead of just banging it in in gmail. Try this one: =============== void IpListEval(Packet *p, void *conext) { struct addr saddr; struct addr daddr; s_ptrie_node_t *pn = NULL; int bl_ref = 0; if(!IsIP(p)) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, " -> spp_iplist: Not IP\n");); return; } if(((IsTCP(p) && p->tcph->th_flags & TH_SYN)) || (IsUDP(p)) || (IsICMP(p))) { addr_pack(&saddr, ADDR_TYPE_IP, IP_ADDR_BITS, &p->iph->ip_src, IP_ADDR_LEN); addr_pack(&daddr, ADDR_TYPE_IP, IP_ADDR_BITS, &p->iph->ip_dst, IP_ADDR_LEN); if(ip_whitelist) { if(s_ptrie_find_entry_byaddr(ip_whitelist, &saddr) || s_ptrie_find_entry_byaddr(ip_whitelist, &daddr)) { /* let's bail, should probably set do_detect to 0 too... */ return; } } if(ip_blacklist) { if((pn = s_ptrie_find_entry_byaddr(ip_blacklist, &saddr))) { bl_ref = (int)pn->data; goto bl_detect; } else if((pn = s_ptrie_find_entry_byaddr(ip_blacklist, &daddr))) { bl_ref = (int)pn->data; goto bl_detect; } goto bl_done; bl_detect: if(!noalerts) SnortEventqAdd(GENERATOR_SPP_IPLIST, bl_ref, 1, 0, 0, list_names[bl_ref], 0); if(!nodrops && InlineMode()) InlineDrop(p); } } bl_done: return; } ===============
Seems to work great with the goto's now (thanks!). Very small/non functionality niggle with the output/alerting: Was wondering about this: static void ProcessArgs(char *args){ snprintf(eventstr, STD_BUF, "Access attempt from %s blacklisted IP address", arg); "attempt from" might mean to some the src address is blacklisted. Since iplist fires on both src and dst maybe have something like: snprintf(eventstr, STD_BUF, "Communication with %s blacklisted IP address", arg); Might help thwart some potential confusion down the road. -- Eoin Miller ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 06)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 06)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 09)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 10)
- Re: Updated IP Blacklisting patch (version 2) Martin Roesch (Jul 07)
- Re: Updated IP Blacklisting patch (version 2) Eoin Miller (Jul 06)