Re: stream4 performance problems

[Martin Roesch <roesch () sourcefire com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Monday, March 3, 2003, at 11:10  AM, Edin Dizdarevic wrote:

> Hi Marty,
>
> Martin Roesch wrote:
> > Injection shouldn't seriously degrade the speed in theory, the way it 
> > handles all TCP segments is to buffer them until reassembly time, >> then
>
> ...which is controlled through the timeout variable, I assume.
>
> But in that case an attacker would have an easy game to spread an
> attack accross a few segments, since the TCP session may go over
> several days. Is that assumption correct?

Depends on the application protocol really.  Stream4 has the capability 
to pick a stream back up in "midflight" if it's not in the stream 
tracker tree, so you can't evade us easily by letting the session 
timeout.

> On the other hand what about transferring a lot of data, one or two
> gigs, for example. Reassembling the complete stream would need very
> much memory and is virtually impossible.
>
> How is that done in Snort 2.0?

It's not.  We pick random flush points for the ports we're doing 
reassembly on and flush then.  Obviously we can't possibly buffer the 
entire stream because it can potentially be huge.  OTOH, the flush 
method has its ups and downs.  Probably the best way to do it with our 
new finite automa-based pattern matching is just to keep a pointer into 
the match tree and do partial matches as we walk through the stream.

     -Marty

> Best regards,
>
> Edin
>
>
>
> > do an in-order traversal of the storage tree.  Insertion and 
> > splitting shouldn't really have that much of an effect on it.  It's 
> > possible that the detection engine has a tougher time with it because 
> > of the way that Snort handles packets, causing it to burn more cycles 
> > at run time.  An easy way to test it is to turn off reassembly but 
> > leave stateful inspection on.  Just comment out the "preprocessor 
> > stream4_reassemble" line in the snort.conf file and try that.
>
> --
> Edin Dizdarevic
> Networking Unit
> Internet- & e-Security
>
> iAS interActive Systems
> Gesellschaft fuer interaktive Medien mbH
> Dieffenbachstr. 33c
> 10967 Berlin
> Germany
>
> fon     +49-(0)30 69 004-123
> fax     +49-(0)30 69 004-101
> mail    edin.dizdarevic () interActive-Systems de
> URL     http://www.interActive-Systems.de/security
- -- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+dUX5qj0FAQQ3KOARAo+WAJ9k9I0uE/dbWvQkvgiofYIobhp9qwCfQAaf
ZWFc6XpvGPBuxmMHDjx2yxs=
=eSxR
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users