Bug #1078: 'Not" operator (!) in Variable causes extremely slow loading of Suricata - Suricata - Open Information Security Foundation

Bug #1078

Updated by Victor Julien over 10 years ago

I'm running Suricata 1.4.1 on FreeBSD. I have encountered an issue when modifying the 
 HOME_NET variable if I want to exclude a particular IP address from a CIDR 
 defined network. For example, in HOME_NET I have defined 192.168.0.0/16. 
 If I want to EXCLUDE the 192.168.14.0 subnet, the documentation I found 
 said it would noted as follows: 

 <pre> 
 HOME_NET:  	 [192.168.0.0/16,!192.168.14.0/24] 
 </pre> 

 If I DO NOT have the negative in my Suricata.yaml file, it loads in seconds: 

 <pre> 
 -------------------------------------------------------------------- 
 Jan    9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> - 8641 
 signatures processed. 704 are IP-only rules, 3688 are inspecting packet 
 payload, 4896 inspect application layer, 0 are decoder event only 
 Jan    9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> - 
 building signature grouping structure, stage 1: adding signatures to 
 signature source addresses... complete 
 Jan    9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> - 
 building signature grouping structure, stage 2: building source address 
 list... complete 
 Jan    9 20:33:11 IDS_GW suricata: 9/1/2014 -- 20:33:11 - <Info> - 
 building signature grouping structure, stage 3: building destination 
 address lists... complete 
 --------------------------------------------------------------------- 
 </pre> 

 When I add the negative to the variable, it takes over 
 40 minutes for Suricata to load and start inspecting traffic. 

 From the logs, I can tell it hangs after stage 1. Notice the times: 

 <pre> 
 --------------------------------------------------------------------- 
 9/1/2014 -- 20:23:29 - <Info> - building signature grouping structure, 
 stage 1: adding signatures to signature source addresses... complete 
 9/1/2014 -- 20:53:39 - <Info> - building signature grouping structure, 
 stage 2: building source address list... complete 
 9/1/2014 -- 21:10:09 - <Info> - building signature grouping structure, 
 stage 3: building destination address lists... complete 
 --------------------------------------------------------------------- 
 </pre> 

 This bug was independently verified on 2.0Beta2 as well.

Back

Project

General

Profile

Suricata

Bug #1078