|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Martin Roesch (roesch
sourcefire.com)
Date: Tue Jul 07 2009 - 19:02:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Jul 7, 2009 at 4:58 PM, Eoin
Miller<eoin.millertrojanedbinaries.com> wrote:
> Yeaup, that was 15% more total utilization for that core. Snort was
> using ~35% of a core to monitor ~450Mbit/s of traffic. After adding the
> second pointer dereference it was using ~50% of a core to monitor the
> same amount of traffic. FYI, this test snort instance has no rules
> loaded and is using Phil Wood's MMAP'd libpcap with a 1GigaByte buffer
> of system RAM.
>
> If you look at the cpu.png file
> (http://trojanedbinaries.com/security/snort/cpu.png) you can see the
> spike in the green line (system%) and the dip in the blue line (idle%)
> 16:00. That was when snort was relaunched with the double pointer
> derefrence in the call to the SnortEventqAdd function:
>
> SnortEventqAdd(GENERATOR_SPP_IPLIST, (int)pn->data, 1, 0, 0,
> list_names[(int)pn->data], 0);
>
> But if you notice the dip in the green line and rise in the blue line
> from 16:40-16:50, that was when I was running recompiled with the single
> derefrence:
>
> foo = (int)pn->data;
> SnortEventqAdd(GENERATOR_SPP_IPLIST, foo, 1, 0, 0, list_names[foo], 0);
>
> Tried your new first function you posted and the results appear the
> same. Good deal less processor utilization and no more packet loss and
> your new function makes more sense for those using the whitelisting
> functionality. Tried to use the fancy free way with the goto's, but gcc
> got all whiny about something.
Might work better if I actually tried to compile the thing instead of
just banging it in in gmail. Try this one:
===============
void IpListEval(Packet *p, void *conext)
{
struct addr saddr;
struct addr daddr;
s_ptrie_node_t *pn = NULL;
int bl_ref = 0;
if(!IsIP(p))
{
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,
" -> spp_iplist: Not IP\n"););
return;
}
if(((IsTCP(p) && p->tcph->th_flags & TH_SYN)) ||
(IsUDP(p)) || (IsICMP(p)))
{
addr_pack(&saddr, ADDR_TYPE_IP, IP_ADDR_BITS, &p->iph->ip_src,
IP_ADDR_LEN);
addr_pack(&daddr, ADDR_TYPE_IP, IP_ADDR_BITS, &p->iph->ip_dst,
IP_ADDR_LEN);
if(ip_whitelist)
{
if(s_ptrie_find_entry_byaddr(ip_whitelist, &saddr) ||
s_ptrie_find_entry_byaddr(ip_whitelist, &daddr))
{
/* let's bail, should probably set do_detect to 0 too... */
return;
}
}
if(ip_blacklist)
{
if((pn = s_ptrie_find_entry_byaddr(ip_blacklist, &saddr)))
{
bl_ref = (int)pn->data;
goto bl_detect;
}
else if((pn = s_ptrie_find_entry_byaddr(ip_blacklist, &daddr)))
{
bl_ref = (int)pn->data;
goto bl_detect;
}
goto bl_done;
bl_detect:
if(!noalerts)
SnortEventqAdd(GENERATOR_SPP_IPLIST, bl_ref, 1, 0, 0,
list_names[bl_ref], 0);
if(!nodrops && InlineMode())
InlineDrop(p);
}
}
bl_done:
return;
}
===============
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]