Snort mailing list archives
Re: stream4 performance problems
From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 16 Mar 2003 22:50:13 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, March 3, 2003, at 11:10 AM, Edin Dizdarevic wrote:
Hi Marty, Martin Roesch wrote:Injection shouldn't seriously degrade the speed in theory, the way it handles all TCP segments is to buffer them until reassembly time, >> then...which is controlled through the timeout variable, I assume. But in that case an attacker would have an easy game to spread an attack accross a few segments, since the TCP session may go over several days. Is that assumption correct?
Depends on the application protocol really. Stream4 has the capability to pick a stream back up in "midflight" if it's not in the stream tracker tree, so you can't evade us easily by letting the session timeout.
On the other hand what about transferring a lot of data, one or two gigs, for example. Reassembling the complete stream would need very much memory and is virtually impossible. How is that done in Snort 2.0?
It's not. We pick random flush points for the ports we're doing reassembly on and flush then. Obviously we can't possibly buffer the entire stream because it can potentially be huge. OTOH, the flush method has its ups and downs. Probably the best way to do it with our new finite automa-based pattern matching is just to keep a pointer into the match tree and do partial matches as we walk through the stream.
-Marty
- -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616Best regards, Edindo an in-order traversal of the storage tree. Insertion and splitting shouldn't really have that much of an effect on it. It's possible that the detection engine has a tougher time with it because of the way that Snort handles packets, causing it to burn more cycles at run time. An easy way to test it is to turn off reassembly but leave stateful inspection on. Just comment out the "preprocessor stream4_reassemble" line in the snort.conf file and try that.-- Edin Dizdarevic Networking Unit Internet- & e-Security iAS interActive Systems Gesellschaft fuer interaktive Medien mbH Dieffenbachstr. 33c 10967 Berlin Germany fon +49-(0)30 69 004-123 fax +49-(0)30 69 004-101 mail edin.dizdarevic () interActive-Systems de URL http://www.interActive-Systems.de/security
Sourcefire: Enterprise-class Intrusion detection built on Snort roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+dUX5qj0FAQQ3KOARAo+WAJ9k9I0uE/dbWvQkvgiofYIobhp9qwCfQAaf ZWFc6XpvGPBuxmMHDjx2yxs= =eSxR -----END PGP SIGNATURE----- -------------------------------------------------------This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 performance problems Edin Dizdarevic (Feb 25)
- Re: stream4 performance problems Martin Roesch (Feb 26)
- Re: stream4 performance problems Edin Dizdarevic (Feb 27)
- Re: stream4 performance problems Martin Roesch (Feb 27)
- Re: stream4 performance problems Edin Dizdarevic (Feb 27)
- Re: stream4 performance problems Erek Adams (Feb 27)
- Re: stream4 performance problems Chris Green (Feb 27)
- Re: stream4 performance problems Edin Dizdarevic (Feb 27)
- Re: stream4 performance problems Martin Roesch (Mar 03)
- Re: stream4 performance problems Edin Dizdarevic (Mar 03)
- Re: stream4 performance problems Martin Roesch (Mar 16)
- Re: stream4 performance problems Martin Roesch (Feb 26)