Project

General

Profile

Actions
Copy link

Bug #3949

closed

Transaction list grows without bound on parsers that use unidirectional transactions (5.0.x)

Added by Jeff Lucovsky over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
5.0.4
Affected Versions:
5.0.0, 5.0.1, 5.0.2, 5.0.3
Effort:
Difficulty:
Label:

Description

The SNMP transaction vector length can grow to large values eventually causing packet loss due to excessive time spent in rs_snmp_get_tx_iterator.

At a production site, this manifested as
1. Packet loss: packet loss occurred at rates well within the machine's capacity. Packet loss was nearly always present.
2. Excessive time in rs_snmp_get_tx_iterator (as measured by perf). Several readings showed it with 45% of time spent (displayed by perf).

Through observations obtained by capturing live network traffic, the attached pcap was synthetically constructed to demonstrate the issue. The key thing is the unbalanced ratio of requests to responses.

Files

snmp_patho.pcap (496 KB) snmp_patho.pcap Jeff Lucovsky, 08/15/2020 01:03 PM

Subtasks 8 (0 open8 closed)

Bug #4002: IKEv2: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4003: SIP: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4004: RDP: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4005: KRB5: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4006: NTP: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4007: SNMP: Better handling of unidirectional transactions (5.0.x)ClosedJason IshActions
Bug #4008: DHCP: Add unidirectional transaction handling (5.0.x)ClosedJason IshActions
Bug #4010: ENIP: Unidirectional transaction handling (5.0.x)ClosedJason IshActions

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3877: Transaction list grows without bound on parsers that use unidirectional transactionsClosedJason IshActions
Actions
Copy link
 #1

Updated by Jeff Lucovsky over 3 years ago

  • Copied from Bug #3877: Transaction list grows without bound on parsers that use unidirectional transactions added
Actions
Copy link
 #2

Updated by Jeff Lucovsky over 3 years ago

  • Status changed from Assigned to In Review
  • Assignee changed from Jeff Lucovsky to Jason Ish
Actions
Copy link
 #3

Updated by Jason Ish over 3 years ago

  • Subject changed from SNMP: Transaction vector grows without bound to SNMP: Transaction vector grows without bound (5.0.x)
Actions
Copy link
 #4

Updated by Jason Ish over 3 years ago

  • Subject changed from SNMP: Transaction vector grows without bound (5.0.x) to Unidirectional transaction handling (5.0.x)
Actions
Copy link
 #5

Updated by Jason Ish over 3 years ago

  • Subject changed from Unidirectional transaction handling (5.0.x) to Transaction list grows without bound on parsers that use unidirectional transactions (5.0.x)
Actions
Copy link
 #6

Updated by Victor Julien over 3 years ago

  • Status changed from In Review to Closed
Actions
Copy link
 #7

Updated by Victor Julien over 3 years ago

  • Affected Versions 5.0.0, 5.0.1, 5.0.2 added
Actions
Copy link
 #8

Updated by Jeff Lucovsky over 3 years ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF