Snort mailing list archives
Re: stream4 performance problems
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 3 Mar 2003 08:31:34 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Injection shouldn't seriously degrade the speed in theory, the way it handles all TCP segments is to buffer them until reassembly time, then do an in-order traversal of the storage tree. Insertion and splitting shouldn't really have that much of an effect on it. It's possible that the detection engine has a tougher time with it because of the way that Snort handles packets, causing it to burn more cycles at run time. An easy way to test it is to turn off reassembly but leave stateful inspection on. Just comment out the "preprocessor stream4_reassemble" line in the snort.conf file and try that.
BTW, 2.0 is significantly faster than 1.9... -Marty On Thursday, February 27, 2003, at 03:13 AM, Edin Dizdarevic wrote:
- -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616Hello Marty, An Athlon XP 2000+ and 512MB RAM. IBM HD 7200RPM, Gbit Intel NIC... I were doing some tests with Nessus expermenting with NIDS evasion techniques. "Split" seems to be no problem for Snort but with "injection" I had to disable stateful inspection in order to achieve better performance. If I do that, Snort is having no problems up to 130Mbit/sec. I could not test it faster, because tcpreplay seems not to be able to send the packets faster than that. I don't know if that is a libnet or tcpreplay restriction. It wonders me indeed, because I thought that especially against such evasion techniques the stateful inspection should be used. Kind regards, Edin Martin Roesch wrote:What hardware/OS are you running on? Sounds like it's fairly modest if it's having a tough time with 10Mbps...-Marty On Tuesday, February 25, 2003, at 08:29 AM, Edin Dizdarevic wrote:Hello everybody During my performance tests I've noticed, that using stream4 preprocessor can slow down the performance really badly in fast networks (over 10Mbit/s). Is anybody else having similar problems? Is there any other solution to solve the problems of TCP-reassembly? A proxy should help, since reassembly must be done there.-- Edin Dizdarevic
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Darwin) iD8DBQE+Y1k6qj0FAQQ3KOARAn5NAJ0bGDjEYhHuwhBXUleZRFVY+/kMGACfV2Am 7wWufcCeBxSwb4eYo9mJAXA= =dd8Q -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 performance problems Edin Dizdarevic (Feb 25)
- Re: stream4 performance problems Martin Roesch (Feb 26)
- Re: stream4 performance problems Edin Dizdarevic (Feb 27)
- Re: stream4 performance problems Martin Roesch (Feb 27)
- Re: stream4 performance problems Edin Dizdarevic (Feb 27)
- Re: stream4 performance problems Erek Adams (Feb 27)
- Re: stream4 performance problems Chris Green (Feb 27)
- Re: stream4 performance problems Edin Dizdarevic (Feb 27)
- Re: stream4 performance problems Martin Roesch (Mar 03)
- Re: stream4 performance problems Edin Dizdarevic (Mar 03)
- Re: stream4 performance problems Martin Roesch (Mar 16)
- Re: stream4 performance problems Martin Roesch (Feb 26)