[Snort-devel] snort limitations

From: Todd Sproull <todd(at)arl.wustl.edu>
Date: Tue Apr 27 2004 - 11:34:56 EDT

Hello,

I am testing snort out with a dual processor AMD 2600+ linux box running snort 2.1.2 with 3gigs of RAM and am able to get snort to seg fault on me when I increase the number of rules I am using to around 30,000 or so. I am creating randomly generated rules to try and gauge the performance of snort as the # of rules increase. I send around 700 Mbits/sec at my IDS and I have yet to see snort drop any packets. I am however limited in the # of rules I can test because of the seg fault issue. Below is a sample of my "random" rules.

alert tcp any any -> any  any (content:"|145616|"; msg:"Found rule";)
alert tcp any any -> any  any (content:"|945917|"; msg:"Found rule";)
alert tcp any any -> any  any (content:"|444646|"; msg:"Found rule";)

Any ideas on what might be causing this problem or how I can increase my ruleset. Below is a copy of my last experiment with snort (running 60000 rules)

Thanks for any help you can provide,

todd

[root@cobra157 snort-2.1.2]# ./run_snort Running in IDS mode
Log directory = ./log/

Initializing Network Interface eth1

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

,-----------[Flow Config]----------------------

| Stats Interval:  0


| Hash Method:     2

| Memcap:          10485760

| Rows  :          4099

| Overhead Bytes: 16400(%0.16)

`----------------------------------------------

No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl: 0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:

    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:

    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config:

    GLOBAL CONFIG

      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: etc/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180 
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory: YES alert: NO
      Apache WhiteSpace: YES alert: YES
      IIS Delimiter: YES alert: YES
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE

rpc_decode arguments:

    Ports to decode RPC on: 111 32771

    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE

telnet_decode arguments:

    Ports to decode telnet on: 21 23 25 119 60000 Snort rules read...
60000 Option Chains linked into 1 Chain Headers 0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[thresholding-global]----------------------------------

| none

+-----------------------[thresholding-local]-----------------------------------

| none

+-----------------------[suppression]------------------------------------------
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek

| none

---

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.1.2 (Build 25)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)

./run_snort: line 1: 15865 Segmentation fault snort -c etc/snort.conf -i eth1 -d -l ./log/

---

This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Apr 27 12:28:48 2004