[Snort-devel] snort 1.7 pretty much ready

Chris Green cmg at ...81...
Tue Jan 2 23:10:57 EST 2001

Christopher Cramer <cec at ...56...> writes:

> Hey, sorry for not getting back to y'all sooner on this.  I'm now
> reasonably certain that there isn't a programming flaw in the stream
> reassembler.  I think the problem is that we are missing packets or
> getting them out of order on a few systems.

That would be a fair diagnosis of my system.  An underpowered sensor
with too much to process is where I see these symptoms.  

> That said, this is a design flaw.  I think the fix to this is to do the
> following:  collect the data into a linked list of data buffers for each
> stream instead of in a buffer; note where the carriage returns in the
> linked list are positioned; when an ACK packet comes in, check to see if
> it ACKS data we have collected and that there was a carriage return in the
> ACK'd portion.  Only at this point do we re-create the buffer.  I would
> probably wind up creating a system-wide buffer in which to do the actual
> reconstruction, saving the overhead of generating a dynamically allocated
> buffer each time we reconstruct.  Any thoughts or suggestions?

I assume this linked list is based on the sequence numbers the
analyzer has seen packets for and ones that it has acks for and
by moving to a linked list, it will allow handling of out of order

One ramble is keeping something like a max difference between the
ACK's and SEQ  we've seen.  Also, how to handle something where many
syn's are sent out at once to say... every host on a class B. Keeping
a max limit on number of streams to keep track of at once might be
needed and yielding to older streams we've already got some data for
would be prudent.  Otherwise the ids might be kept too busy with
bookkeeping the stream plugin.   This should be easy to add on at the
end as an additional feature though. 

> Anyway, I'm fine w/ the stream reassembler being marked beta, it still
> very much is :-)     (I don't think I advertised otherwise).
> -Chris

You didn't advertise otherwise.  I just wanted to point out that it
should be marked as beta in an otherwise stable release.

Chris Green <cmg at ...81...>
Fame may be fleeting but obscurity is forever.

More information about the Snort-devel mailing list