[Snort-devel] Is stream3 working?

Chris Green cmg at ...81...
Wed May 9 20:08:00 EDT 2001


Martin Roesch <roesch at ...402...> writes:

> Hey guys,
>      Well, I updated the stream3 code with some quick bug fixes about 18
> hours ago, can I assume by the relative silence that it's working for
> people now?
> 

Using various plugins with a stress test of super high packetloss
(50%) at 20mbit, I've seen snort crash in tcpstream3, defrag, and in
decoding the IP header ( using snort CVS of maybe 8 hrs ago ).  I know
this isn't how one anticipates snort should be run but it does show a
heck of a lot of the border cases quickly.

things do a lot better w/o tcpstream3 but I ran out of time at work to
track down any of these things ( and my nights are filled with doing
school projects till the end of the month - atleast they are projects
of my own choosing).

Another thing I noticed was with no alert style rules defined, a ^C to
snort would cause a segfault in tcpstreams exit routines.

How much storage max is allocated per node in the AVL tree?

When the tree's # of nodes fills up, can a flag be set so that only
one message is printed.  It looks like a bit of debug code that got
left in.
-- 
Chris Green <cmg at ...81...>
To err is human, to moo bovine.




More information about the Snort-devel mailing list