[Snort-devel] Is stream3 working?
cmg at ...81...
Wed May 9 20:08:00 EDT 2001
Martin Roesch <roesch at ...402...> writes:
> Hey guys,
> Well, I updated the stream3 code with some quick bug fixes about 18
> hours ago, can I assume by the relative silence that it's working for
> people now?
Using various plugins with a stress test of super high packetloss
(50%) at 20mbit, I've seen snort crash in tcpstream3, defrag, and in
decoding the IP header ( using snort CVS of maybe 8 hrs ago ). I know
this isn't how one anticipates snort should be run but it does show a
heck of a lot of the border cases quickly.
things do a lot better w/o tcpstream3 but I ran out of time at work to
track down any of these things ( and my nights are filled with doing
school projects till the end of the month - atleast they are projects
of my own choosing).
Another thing I noticed was with no alert style rules defined, a ^C to
snort would cause a segfault in tcpstreams exit routines.
How much storage max is allocated per node in the AVL tree?
When the tree's # of nodes fills up, can a flag be set so that only
one message is printed. It looks like a bit of debug code that got
Chris Green <cmg at ...81...>
To err is human, to moo bovine.
More information about the Snort-devel