Re: Stream4 and other stuff

[Martin Roesch <roesch () sourcefire com>]

Ok, one thing that I've found to be helpful lately is to turn off
shellcode.rules, it seems to be giving us a pretty heavy impact on
performance lately.  I'm not really sure where the other slowdowns are
coming though, I've been doing some profiling lately and it appears that
Snort is spending lots of time in the pattern matcher (especially with
shellcode.rules enabled) and that's causing problems.  I don't think
that stream4 is the overall cause of the packet loss, but I'm not sure
where it's coming from at this time.

My suggestion would be to start disabling various Snort plugins and
rules files to see where the performance hit is coming from and to
report from there once you have.  I'm very interested in this data as
well, since I don't have a highly utilized network to test on it's
really difficult to test the performance of the system lately.  One
thing that I have found puzzling lately is that it almost appears as if
the performance of the pattern matcher has gone *down*, which isn't at
all right.

Printing sip:port->dip:port in the fishy TWH message shouldn't be a
problem.

If you want to activate profiling to see where you're taking your big
performance hits, compile Snort with the -gp switch in the Makefile, run
the program, then run "gprof snort snort.gmon" to get a dump of the
performance profile of the functions within Snort.  I don't know what
"Heisenburg factor" should be applied to the results, but it's a good
place to start working the problem anyway.

     -Marty

Phil Wood wrote:
> Marty,
>
> I'm getting extreme packet loss using Version 1.8-beta8 (Build 33).
>
> Snort received 242899 packets and dropped 3692706(93.828%) packets
>
> Breakdown by protocol:                Action Stats:
> TCP: 233890     (5.943%)          ALERTS: 203
> UDP: 7435       (0.189%)          LOGGED: 203
> ICMP: 762        (0.019%)          PASSED: 4900
> ARP: 0          (0.000%)
> IPv6: 0          (0.000%)
>
> Running a tcpdump is clean (at a different time but with similar
> load), no packets dropped.
>
> LogMessage was called 9058 times prior to this with the message
>
>   WARNING: Fishy TWH from client!
>
> Is there a way to identify the fishy client with some S:s->D:d in the
> message.
>
> I'm running these preprocessors:
>
> preprocessor defrag
> preprocessor stream4
> preprocessor stream4_reassemble
> preprocessor unidecode: 80
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $INTERNAL 5 3 $LOG/$SCAN
> preprocessor portscan-ignorehosts: $IGNOREHOSTS
>
> Thanks,
>
> --
> Phil Wood, cpw () lanl gov

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users