Snort mailing list archives

Previous By Date Next
Previous By Thread Next

flowbits performance hit?

From: sekure <sekure () gmail com>
Date: Tue, 5 Oct 2004 08:44:54 -0400
Greetings,

This morning I came in to find over 450 "JPEG parser multipacket heap
overflow" alerts (sid:2707), from a single conversation last night. 
It's clearly a false positive, but i helped me identify a few problems
with my setup, and I was hoping for some assistance with this one:

I am running a fairly beefy box with Intel quad server PCI-X card and
Phil Wood's modified libpcap, logging fast alerts to a text file and
also writing a unified log for processing with barnyard.  Never had an
issue with dropped packets, handling up to 30Mbps in some cases, until
last night that is.  As soon as these alerts started coming, the
dropped packets jumped, up to 17% in one case.  The CPU shot up to
around 20% also, the highest i've ever seen it .  The throughput at
the time was 1Mbps, so I know it isn't the capture/libpcap that's the
problem.  Here are a few lines from snort.stats, including the few
lines before this happened:

1096935943,0.000,0.5,0.0,0.1,845,26.69,1.4,1.4,2.7,2.6,122,379,19.5,0,11,0.0,0.0,0.0,0.0,0,0,0.5,0.1,99.4
1096936258,0.000,0.8,0.0,0.2,772,59.91,2.7,1.1,2.6,2.6,108,379,15.5,0,10,0.0,0.0,0.0,0.0,0,0,2.7,0.1,97.3
1096936572,17.124,1.0,0.1,0.2,796,73.36,0.8,0.8,2.1,2.1,117,379,10.1,0,10,0.0,0.0,0.0,0.0,0,0,26.2,0.1,73.7
1096936894,0.000,1.2,0.0,0.2,798,75.49,2.4,0.8,2.1,2.2,81,379,9.6,0,11,0.0,0.0,0.0,0.0,0,0,4.5,0.1,95.4
1096937223,4.562,1.1,0.0,0.2,830,69.63,1.4,1.3,2.7,2.6,125,379,14.5,0,10,0.0,0.0,0.0,0.0,0,0,9.7,0.1,90.2
1096937537,2.043,1.2,0.1,0.2,761,70.20,3.1,1.4,2.9,2.9,138,379,16.4,0,10,0.0,0.0,0.0,0.0,0,0,13.4,0.1,86.5
1096937888,9.142,1.2,0.0,0.2,859,71.16,1.3,1.2,2.6,2.7,103,379,17.6,0,11,0.0,0.0,0.0,0.0,0,0,19.9,0.1,80.0

Can this possibly be related to flowbits, since this rule uses them? 
This is a wild speculation of course, but I don't know what else to
attribute this to.  Or can the fact that I am logging fast alert to a
text file really be that much of a performance hit?

Any ideas?


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: