Project

General

Profile

Actions

Bug #3949

closed

Transaction list grows without bound on parsers that use unidirectional transactions (5.0.x)

Added by Jeff Lucovsky over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The SNMP transaction vector length can grow to large values eventually causing packet loss due to excessive time spent in rs_snmp_get_tx_iterator.

At a production site, this manifested as
1. Packet loss: packet loss occurred at rates well within the machine's capacity. Packet loss was nearly always present.
2. Excessive time in rs_snmp_get_tx_iterator (as measured by perf). Several readings showed it with 45% of time spent (displayed by perf).

Through observations obtained by capturing live network traffic, the attached pcap was synthetically constructed to demonstrate the issue. The key thing is the unbalanced ratio of requests to responses.


Files

snmp_patho.pcap (496 KB) snmp_patho.pcap Jeff Lucovsky, 08/15/2020 01:03 PM

Subtasks 8 (0 open8 closed)

Bug #4002: IKEv2: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4003: SIP: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4004: RDP: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4005: KRB5: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4006: NTP: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4007: SNMP: Better handling of unidirectional transactions (5.0.x)ClosedJason IshActions
Bug #4008: DHCP: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4010: ENIP: Unidirectional transaction handling (5.0.x)ClosedJason IshActions

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3877: Transaction list grows without bound on parsers that use unidirectional transactionsClosedJason IshActions
Actions #1

Updated by Jeff Lucovsky over 4 years ago

  • Copied from Bug #3877: Transaction list grows without bound on parsers that use unidirectional transactions added
Actions #2

Updated by Jeff Lucovsky about 4 years ago

  • Status changed from Assigned to In Review
  • Assignee changed from Jeff Lucovsky to Jason Ish
Actions #3

Updated by Jason Ish about 4 years ago

  • Subject changed from SNMP: Transaction vector grows without bound to SNMP: Transaction vector grows without bound (5.0.x)
Actions #4

Updated by Jason Ish about 4 years ago

  • Subject changed from SNMP: Transaction vector grows without bound (5.0.x) to Unidirectional transaction handling (5.0.x)
Actions #5

Updated by Jason Ish about 4 years ago

  • Subject changed from Unidirectional transaction handling (5.0.x) to Transaction list grows without bound on parsers that use unidirectional transactions (5.0.x)
Actions #6

Updated by Victor Julien about 4 years ago

  • Status changed from In Review to Closed
Actions #7

Updated by Victor Julien about 4 years ago

  • Affected Versions 5.0.0, 5.0.1, 5.0.2 added
Actions #8

Updated by Jeff Lucovsky about 4 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF