Project

General

Profile

Actions

Bug #3877

closed

Transaction list grows without bound on parsers that use unidirectional transactions

Added by Jeff Lucovsky over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0

Description

The SNMP transaction vector length can grow to large values eventually causing packet loss due to excessive time spent in rs_snmp_get_tx_iterator.

At a production site, this manifested as
1. Packet loss: packet loss occurred at rates well within the machine's capacity. Packet loss was nearly always present.
2. Excessive time in rs_snmp_get_tx_iterator (as measured by perf). Several readings showed it with 45% of time spent (displayed by perf).

Through observations obtained by capturing live network traffic, the attached pcap was synthetically constructed to demonstrate the issue. The key thing is the unbalanced ratio of requests to responses.


Files

snmp_patho.pcap (496 KB) snmp_patho.pcap Jeff Lucovsky, 08/15/2020 01:03 PM

Subtasks 9 (0 open9 closed)

Bug #3977: SNMP: Better handling of unidirectional transactionsClosedJason IshActions
Bug #3978: DHCP: Add unidirectional transaction handlingClosedJason IshActions
Bug #3979: IKEv2: Add unidirectional transaction handlingClosedJason IshActions
Bug #3980: MQTT: Add unidirectional transaction handlingClosedJason IshActions
Bug #3981: SIP: Add unidirectional transaction handlingClosedJason IshActions
Bug #3982: RDP: Add unidirectional transaction handlingClosedJason IshActions
Bug #3983: KRB5: Add unidirectional transaction handlingClosedJason IshActions
Bug #3984: NTP: Add unidirectional transaction handlingClosedJason IshActions
Bug #4009: ENIP: Unidirectional transaction handlingClosedJason IshActions

Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #3948: Transaction list grows without bound on parsers that use unidirectional transactions (4.1.x)ClosedJason IshActions
Copied to Suricata - Bug #3949: Transaction list grows without bound on parsers that use unidirectional transactions (5.0.x)ClosedJason IshActions
Actions #1

Updated by Victor Julien over 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 6.0.0
  • Label Needs backport to 4.1, Needs backport to 5.0 added
Actions #2

Updated by Jason Ish over 3 years ago

  • Status changed from Assigned to In Review
Actions #3

Updated by Jeff Lucovsky over 3 years ago

  • Copied to Bug #3948: Transaction list grows without bound on parsers that use unidirectional transactions (4.1.x) added
Actions #4

Updated by Jeff Lucovsky over 3 years ago

  • Copied to Bug #3949: Transaction list grows without bound on parsers that use unidirectional transactions (5.0.x) added
Actions #5

Updated by Jason Ish over 3 years ago

  • Parent task set to #3977
Actions #6

Updated by Jason Ish over 3 years ago

  • Label deleted (Needs backport to 4.1)
Actions #7

Updated by Jason Ish over 3 years ago

  • Subject changed from SNMP: Transaction vector grows without bound to Transaction vector grows without bound (Was SNMP)
  • Parent task deleted (#3977)

Rewording for parent ticket of all protocols with this issue for better tracking.

Actions #8

Updated by Jason Ish over 3 years ago

  • Subject changed from Transaction vector grows without bound (Was SNMP) to Transaction list grows without bound on parsers that use unidirectional transactions
Actions #9

Updated by Victor Julien over 3 years ago

  • Status changed from In Review to Closed
Actions #10

Updated by Victor Julien over 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF