'Re: [Snort-users] 2.9.0.1 performance issue'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] 2.9.0.1 performance issue
From:       Russ Combs <rcombs () sourcefire ! com>
Date:       2010-11-18 15:10:18
Message-ID: AANLkTik5XadPoFn1XLKLbogBfw=JnrgvKRtcnA0LCu14 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thanks for the detailed report.  We are looking into it.

Russ

On Thu, Nov 18, 2010 at 4:05 AM, Frank Eberle <himself@frank-eberle.de>wrote:

> Hello,
>
> recently I've updated a already running installation from 2.9.0 to
> 2.9.0.1. Before the update CPU load was about 30%. After a while I've
> recognized, that the snort process took 100% CPU time.
>
> I've compiled snort with performance profiler support to analyse the
> problem. I've seen that rule 17468 was the most busy rule with 2.9.0.1
> and in the preproc stats 'pcre' took much more time than with 2.9.0.
>
> After tweaking the config file for some time, I've found out that when
> setting the parameter http_inspect_server / server_flow_depth to -1 the
> CPU usage of 2.9.0 and 2.9.0.1 was nearly equal. When setting the
> parameter to 0 or any value greater than 0, I've seen the performance
> issue again.
>
> Then I've examined the source code (especially the code of http_inspect)
> and in my opinion the behaviour of the server_flow_depth changed
> completely. With 2.9.0 a value > 0 limited the inspection of the entire
> HTTP response (including the body). Now with 2.9.0.1 only the first
> response packet of the header is limited. All following response packets
> are examined. This leads to my observed performance issue. Rule 17468
> examines HTTP responses. The content match (content:"http|3A|") is not
> very significant so the pcre test is called very often which leads to
> the bad performance.
>
> Has anybody recognized similar performance issues, or does anybody know
> why the http_inspect code was changed in this way (when reading the
> comment in the changelog, the comment in the source code and the
> documentation I'm thinking that this behaviour is a bug).
>
> Regards
>
> Frank
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

[Attachment #5 (text/html)]

Thanks for the detailed report.  We are looking into it.<br><br>Russ<br><br><div \
class="gmail_quote">On Thu, Nov 18, 2010 at 4:05 AM, Frank Eberle <span \
dir="ltr">&lt;<a href="mailto:himself@frank-eberle.de">himself@frank-eberle.de</a>&gt;</span> \
wrote:<br> <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; \
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hello,<br> <br>
recently I&#39;ve updated a already running installation from 2.9.0 to<br>
2.9.0.1. Before the update CPU load was about 30%. After a while I&#39;ve<br>
recognized, that the snort process took 100% CPU time.<br>
<br>
I&#39;ve compiled snort with performance profiler support to analyse the<br>
problem. I&#39;ve seen that rule 17468 was the most busy rule with 2.9.0.1<br>
and in the preproc stats &#39;pcre&#39; took much more time than with 2.9.0.<br>
<br>
After tweaking the config file for some time, I&#39;ve found out that when<br>
setting the parameter http_inspect_server / server_flow_depth to -1 the<br>
CPU usage of 2.9.0 and 2.9.0.1 was nearly equal. When setting the<br>
parameter to 0 or any value greater than 0, I&#39;ve seen the performance<br>
issue again.<br>
<br>
Then I&#39;ve examined the source code (especially the code of http_inspect)<br>
and in my opinion the behaviour of the server_flow_depth changed<br>
completely. With 2.9.0 a value &gt; 0 limited the inspection of the entire<br>
HTTP response (including the body). Now with 2.9.0.1 only the first<br>
response packet of the header is limited. All following response packets<br>
are examined. This leads to my observed performance issue. Rule 17468<br>
examines HTTP responses. The content match (content:&quot;http|3A|&quot;) is not<br>
very significant so the pcre test is called very often which leads to<br>
the bad performance.<br>
<br>
Has anybody recognized similar performance issues, or does anybody know<br>
why the http_inspect code was changed in this way (when reading the<br>
comment in the changelog, the comment in the source code and the<br>
documentation I&#39;m thinking that this behaviour is a bug).<br>
<br>
Regards<br>
<br>
Frank<br>
<br>
------------------------------------------------------------------------------<br>
Beautiful is writing same markup. Internet Explorer 9 supports<br>
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 &amp; L3.<br>
Spend less time writing and  rewriting code and more time creating great<br>
experiences on the web. Be a part of the beta today<br>
<a href="http://p.sf.net/sfu/msIE9-sfdev2dev" \
target="_blank">http://p.sf.net/sfu/msIE9-sfdev2dev</a><br> \
_______________________________________________<br> Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a><br>
 Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br> \
Snort-users list archive:<br> <a \
href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" \
target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br> \
</blockquote></div><br>



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic