[Snort-devel] snort 1.7 pretty much ready

Christopher Cramer cec at ...56...
Tue Jan 2 17:04:05 EST 2001


Hey, sorry for not getting back to y'all sooner on this.  I'm now
reasonably certain that there isn't a programming flaw in the stream
reassembler.  I think the problem is that we are missing packets or
getting them out of order on a few systems.

That said, this is a design flaw.  I think the fix to this is to do the
following:  collect the data into a linked list of data buffers for each
stream instead of in a buffer; note where the carriage returns in the
linked list are positioned; when an ACK packet comes in, check to see if
it ACKS data we have collected and that there was a carriage return in the
ACK'd portion.  Only at this point do we re-create the buffer.  I would
probably wind up creating a system-wide buffer in which to do the actual
reconstruction, saving the overhead of generating a dynamically allocated
buffer each time we reconstruct.  Any thoughts or suggestions?

This will also fix a problem as we move towards host-based monitoring.  I
would like to add the ability to emulate the precise oddities of different
OSs when reconstructing streams.  One of those oddities is that certain
versions of Windows give priority to old data over new data on overlapping
sequence numbers; on the other hand, Unicies correctly give priority to
new data.  This can easily be addressed during reconstruction if all of
the data is still around.

Anyway, I'm fine w/ the stream reassembler being marked beta, it still
very much is :-)     (I don't think I advertised otherwise).

-Chris


On Tue, 2 Jan 2001, Martin Roesch wrote:

> There are still some "issues" in the stream reassembler, but for the time
> being I don't see why that should hold up the release.  Chris Cramer has said
> that he intends to fix this problem ASAP, and since it doesn't seem to effect
> the stability of the system, I'll wrap it in a big "BETA" and we'll put it in
> there.  After we release 1.7 I intend to switch the 1.X codebase to a "release
> early, release often" methodology where we'll do sub-point releases every week
> or two with the latest & greatest fixes.  At the same time, we're going to
> begin development on 2.0 which is where the main concentration of effort will
> go.  
> 
> As Chris works on the stream reassembler, we'll integrate those changes
> directly into the 1.7.X release series.
> 
>     -Marty
> 
> Chris Green wrote:
> > 
> > spp_tcpstream should be marked as beta IMO if 1.7 ships as is in CVS
> > right now.
> > 
> >  (34566 > 25144)[!] WARNING: TCP stream reassembler, Server Bytes in
> >  Buffer > Buffer Size (31418 > 25144)[!] WARNING: TCP stream
> >  reassembler, Server Bytes in Buffer > Buffer Size (25902 > 25144)[!]
> >  WARNING: TCP stream reassembler, Server Bytes in Buffer > Buffer Size
> >  (31493 > 25144)[!] WARNING: TCP stream reassembler, Server Bytes in
> >  Buffer > Buffer Size (28249 > 25144)[!] WARNING: TCP stream
> >  reassembler, Server Bytes in Buffer > Buffer Size (27113 > 25144)[!]
> >  WARNING: TCP stream reassembler, Server Bytes in Buffer > Buffer Size
> >  (36194 > 33904)[!] WARNING: TCP stream reassembler, Server Bytes in
> >  Buffer > Buffer Size (35870 > 33904)[!] WARNING: TCP stream
> >  reassembler, Client Bytes in Buffer > Buffer Size (1209526456 >
> >  24576)[!] WARNING: TCP stream reassembler, Client Bytes in Buffer >
> >  Buffer Size (1209510072 > 24576)[!] WARNING: TCP stream reassembler,
> >  Server Bytes in Buffer > Buffer Size (35372 > 25144)[!] WARNING: TCP
> >  stream reassembler, Server Bytes in Buffer > Buffer Size (33588 >
> >  25144)[!] WARNING: TCP stream reassembler, Server Bytes in Buffer >
> >  Buffer Size (27137 > 25904)[!] WARNING: TCP stream reassembler,
> >  Server Bytes in Buffer > Buffer Size (28567 > 25904)[!] WARNING: TCP
> >  stream reassembler, Server Bytes in Buffer > Buffer Size (29799 >
> >  25904)[!] WARNING: TCP stream reassembler, Server Bytes in Buffer >
> >  Buffer Size (31287 > 25904)[!] WARNING: TCP stream reassembler,
> >  Client Bytes in Buffer > Buffer Size (1049196226 > 24576)[!] WARNING:
> >  TCP stream reassembler, Server Bytes in Buffer > Buffer Size (29230 >
> >  25144)[!] WARNING: TCP stream reassembler is trying to allocate 0
> >  byte server stream
> > 
> > [!] WARNING: TCP stream reassembler is trying to allocate 0 byte server stream
> > 
> > Martin Roesch <roesch at ...48...> writes:
> > 
> > > Hi Guys,
> > >      I've spent a good portion of the past few days doing testing and
> > > documentation and it looks like we're ready to go.  I'm just now checking in
> > > the last batch of code that will be shipped as version 1.7 barring anyone
> > > finding anything disasterous in the CVS code between now and the time I get
> > > the last of the documentation finished.  I've updated the snort.8 man page,
> > > the README file, and the USAGE file so far.  I also added a bunch of people to
> > > the CREDITS file, if you're not in there and you think you should be please
> > > drop me a line, I have a terrible memory sometimes. :)
> > >      Tonight I test compiled on all my available platforms: Linux, FreeBSD,
> > > OpenBSD, Solaris and Tru64 and it looks like things are running smoothly.
> > > Fyodor, Jed and I have been doing a variety of checkins to the CVS repository
> > > over the past few days but appears that the snort-cvs list isn't being updated
> > > at this time (Sourceforge is moving their servers).  Hopefully this will be
> > > fixed soon.
> > >      I'm going to spend some time working on the web site tomorrow (updating
> > > the rules document and the downloads page) and if nobody has any objections,
> > > as soon as I'm finished with that we'll release version 1.7!  It's been a long
> > > road, and I'd like to thank everyone who has contributed over the past few
> > > months, you've all been a great help!
> > >
> > >      -Marty
> > >
> > > --
> > > Martin Roesch
> > > roesch at ...48...
> > > http://www.snort.org
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-devel
> > 
> > --
> > Chris Green <cmg at ...81...>
> > You now have 14 minutes to reach minimum safe distance.
> 
> -- 
> Martin Roesch
> roesch at ...48...
> http://www.snort.org
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel
> 





More information about the Snort-devel mailing list