Project

General

Profile

Actions
Copy link

Bug #3948

closed

Transaction list grows without bound on parsers that use unidirectional transactions (4.1.x)

Added by Jeff Lucovsky about 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
4.1.9
Affected Versions:
5.0.3
Effort:
Difficulty:
Label:

Description

The SNMP transaction vector length can grow to large values eventually causing packet loss due to excessive time spent in rs_snmp_get_tx_iterator.

At a production site, this manifested as
1. Packet loss: packet loss occurred at rates well within the machine's capacity. Packet loss was nearly always present.
2. Excessive time in rs_snmp_get_tx_iterator (as measured by perf). Several readings showed it with 45% of time spent (displayed by perf).

Through observations obtained by capturing live network traffic, the attached pcap was synthetically constructed to demonstrate the issue. The key thing is the unbalanced ratio of requests to responses.

Files

snmp_patho.pcap (496 KB) snmp_patho.pcap Jeff Lucovsky, 08/15/2020 01:03 PM

Subtasks 5 (0 open5 closed)

Bug #4011: ENIP: Unidirectional transaction handling (4.1.x)ClosedJason IshActions
Bug #4012: NTP: Add unidirectional transaction handlingClosedJason IshActions
Bug #4013: KRB5: Add unidirectional transaction handlingClosedJason IshActions
Bug #4014: IKEv2: Add unidirectional transaction handlingClosedJason IshActions
Bug #4015: DHCP: Add unidirectional transaction handlingClosedJason IshActions

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3877: Transaction list grows without bound on parsers that use unidirectional transactionsClosedJason IshActions
Actions
Copy link

Also available in: Atom PDF