Snort mailing list archives
2.9.0.1 performance issue
From: Frank Eberle <himself () frank-eberle de>
Date: Thu, 18 Nov 2010 10:05:27 +0100
Hello, recently I've updated a already running installation from 2.9.0 to 2.9.0.1. Before the update CPU load was about 30%. After a while I've recognized, that the snort process took 100% CPU time. I've compiled snort with performance profiler support to analyse the problem. I've seen that rule 17468 was the most busy rule with 2.9.0.1 and in the preproc stats 'pcre' took much more time than with 2.9.0. After tweaking the config file for some time, I've found out that when setting the parameter http_inspect_server / server_flow_depth to -1 the CPU usage of 2.9.0 and 2.9.0.1 was nearly equal. When setting the parameter to 0 or any value greater than 0, I've seen the performance issue again. Then I've examined the source code (especially the code of http_inspect) and in my opinion the behaviour of the server_flow_depth changed completely. With 2.9.0 a value > 0 limited the inspection of the entire HTTP response (including the body). Now with 2.9.0.1 only the first response packet of the header is limited. All following response packets are examined. This leads to my observed performance issue. Rule 17468 examines HTTP responses. The content match (content:"http|3A|") is not very significant so the pcre test is called very often which leads to the bad performance. Has anybody recognized similar performance issues, or does anybody know why the http_inspect code was changed in this way (when reading the comment in the changelog, the comment in the source code and the documentation I'm thinking that this behaviour is a bug). Regards Frank ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.9.0.1 performance issue Frank Eberle (Nov 18)
- Re: [Snort-users] 2.9.0.1 performance issue Matt Olney (Nov 18)
- Re: [Snort-users] 2.9.0.1 performance issue matan monitz (Nov 18)
- Re: [Snort-users] 2.9.0.1 performance issue L0rd Ch0de1m0rt (Nov 18)
- Re: [Snort-users] 2.9.0.1 performance issue Eoin Miller (Nov 18)
- Re: [Snort-users] 2.9.0.1 performance issue Russ Combs (Nov 18)
- Re: [Snort-users] 2.9.0.1 performance issue matan monitz (Nov 18)
- Re: [Snort-users] 2.9.0.1 performance issue matan monitz (Nov 18)
- Re: [Snort-users] 2.9.0.1 performance issue Matt Olney (Nov 18)