Re: stream4 performance problems

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi Marty,

Martin Roesch wrote:
> Injection shouldn't seriously degrade the speed in theory, the way it 
> handles all TCP segments is to buffer them until reassembly time, then 

...which is controlled through the timeout variable, I assume.

But in that case an attacker would have an easy game to spread an
attack accross a few segments, since the TCP session may go over
several days. Is that assumption correct?

On the other hand what about transferring a lot of data, one or two
gigs, for example. Reassembling the complete stream would need very
much memory and is virtually impossible.

How is that done in Snort 2.0?

Best regards,

Edin



> do an in-order traversal of the storage tree.  Insertion and splitting 
> shouldn't really have that much of an effect on it.  It's possible that 
> the detection engine has a tougher time with it because of the way that 
> Snort handles packets, causing it to burn more cycles at run time.  An 
> easy way to test it is to turn off reassembly but leave stateful 
> inspection on.  Just comment out the "preprocessor stream4_reassemble" 
> line in the snort.conf file and try that.

--
Edin Dizdarevic
Networking Unit
Internet- & e-Security

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic () interActive-Systems de
URL     http://www.interActive-Systems.de/security



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users