Snort mailing list archives

Re: stream4 performance problems

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 3 Mar 2003 08:31:34 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Injection shouldn't seriously degrade the speed in theory, the way ithandles all TCP segments is to buffer them until reassembly time, thendo an in-order traversal of the storage tree. Insertion and splittingshouldn't really have that much of an effect on it. It's possible thatthe detection engine has a tougher time with it because of the way thatSnort handles packets, causing it to burn more cycles at run time. Aneasy way to test it is to turn off reassembly but leave statefulinspection on. Just comment out the "preprocessor stream4_reassemble"line in the snort.conf file and try that.


BTW, 2.0 is significantly faster than 1.9...

    -Marty


On Thursday, February 27, 2003, at 03:13 AM, Edin Dizdarevic wrote:


Hello Marty,

An Athlon XP 2000+ and 512MB RAM. IBM HD 7200RPM,
Gbit Intel NIC...

I were doing some tests with Nessus expermenting with
NIDS evasion techniques. "Split" seems to be no
problem for Snort but with "injection" I had to
disable stateful inspection in order to achieve
better performance.

If I do that, Snort is having no problems up
to 130Mbit/sec. I could not test it faster,
because tcpreplay seems not to be able to send
the packets faster than that. I don't know if that
is a libnet or tcpreplay restriction.

It wonders me indeed, because I thought that
especially against such evasion techniques
the stateful inspection should be used.

Kind regards,

Edin


Martin Roesch wrote:

What hardware/OS are you running on? Sounds like it's fairly modestif it's having a tough time with 10Mbps...

     -Marty
On Tuesday, February 25, 2003, at 08:29  AM, Edin Dizdarevic wrote:


Hello everybody

During my performance tests I've noticed, that
using stream4 preprocessor can slow down the
performance really badly in fast networks (over
10Mbit/s).

Is anybody else having similar problems?

Is there any other solution to solve the problems
of TCP-reassembly?

A proxy should help, since reassembly must be done there.




--
Edin Dizdarevic

- --Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616

Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)

iD8DBQE+Y1k6qj0FAQQ3KOARAn5NAJ0bGDjEYhHuwhBXUleZRFVY+/kMGACfV2Am
7wWufcCeBxSwb4eYo9mJAXA=
=dd8Q
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

stream4 performance problems Edin Dizdarevic (Feb 25)
- Re: stream4 performance problems Martin Roesch (Feb 26)
  - Re: stream4 performance problems Edin Dizdarevic (Feb 27)
    - Re: stream4 performance problems Martin Roesch (Feb 27)
    - Re: stream4 performance problems Edin Dizdarevic (Feb 27)
    - Re: stream4 performance problems Erek Adams (Feb 27)
    - Re: stream4 performance problems Chris Green (Feb 27)
    - Re: stream4 performance problems Martin Roesch (Mar 03)
    - Re: stream4 performance problems Edin Dizdarevic (Mar 03)
    - Re: stream4 performance problems Martin Roesch (Mar 16)