Actions
Bug #2014
closedPossible autofp issue in detection causing extended runtime processing a pcap.
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
This issue was found while working on the Rust DNS parser before handling lost responses, but also occurs in git master by disabling the line of code that marks transactions as having their reply lost, so they are never marked complete.
diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c index 3eb507adb..56b5c4ebe 100644 --- a/src/app-layer-dns-common.c +++ b/src/app-layer-dns-common.c @@ -394,7 +394,7 @@ DNSTransaction *DNSTransactionFindByTxId(const DNSState *dns_state, const uint16 return tx; } else if ((dns_state->transaction_max - tx->tx_num) > (dns_state->window - 1U)) { - tx->reply_lost = 1; + //tx->reply_lost = 1; } } }
Note: I still need to extract a data set to make this happen.
What happens in Suricata will run but will get in a state where one thread is using 100% CPU and the rest are idle. perf shows a lot of time spent in DeStateSignatureAppend.
More details to come.
Files
Actions