Re: [Snort-users] 2.9.0.1 performance issue

[matan monitz <mmonitz () gmail com>]

sounds related to the http_inspect\stream reassembly bugfix

On Thu, Nov 18, 2010 at 4:31 PM, Matt Olney <molney () sourcefire com> wrote:

> Hi Frank!
>
> Copying the devel list so the Snort team will see this.
>
> Matt
> VRT
>
> On Thu, Nov 18, 2010 at 4:05 AM, Frank Eberle <himself () frank-eberle de>wrote:
>
> > Hello,
> >
> > recently I've updated a already running installation from 2.9.0 to
> > 2.9.0.1. Before the update CPU load was about 30%. After a while I've
> > recognized, that the snort process took 100% CPU time.
> >
> > I've compiled snort with performance profiler support to analyse the
> > problem. I've seen that rule 17468 was the most busy rule with 2.9.0.1
> > and in the preproc stats 'pcre' took much more time than with 2.9.0.
> >
> > After tweaking the config file for some time, I've found out that when
> > setting the parameter http_inspect_server / server_flow_depth to -1 the
> > CPU usage of 2.9.0 and 2.9.0.1 was nearly equal. When setting the
> > parameter to 0 or any value greater than 0, I've seen the performance
> > issue again.
> >
> > Then I've examined the source code (especially the code of http_inspect)
> > and in my opinion the behaviour of the server_flow_depth changed
> > completely. With 2.9.0 a value > 0 limited the inspection of the entire
> > HTTP response (including the body). Now with 2.9.0.1 only the first
> > response packet of the header is limited. All following response packets
> > are examined. This leads to my observed performance issue. Rule 17468
> > examines HTTP responses. The content match (content:"http|3A|") is not
> > very significant so the pcre test is called very often which leads to
> > the bad performance.
> >
> > Has anybody recognized similar performance issues, or does anybody know
> > why the http_inspect code was changed in this way (when reading the
> > comment in the changelog, the comment in the source code and the
> > documentation I'm thinking that this behaviour is a bug).
> >
> > Regards
> >
> > Frank
> >
> >
> > ------------------------------------------------------------------------------
> > Beautiful is writing same markup. Internet Explorer 9 supports
> > standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> > Spend less time writing and  rewriting code and more time creating great
> > experiences on the web. Be a part of the beta today
> > http://p.sf.net/sfu/msIE9-sfdev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel