[Snort-devel] Stream3 preprocessor question.

william.c.gercken at ...350... william.c.gercken at ...350...
Tue May 15 13:40:24 EDT 2001


Looking at the code in TcpStream3Packet(), I do not see where this version
(spp_tcp_stream3) of the preprocessor will remove unused nodes after the
timeout. TcpStream3PruneTree() appears to focus on pruning nodes related to
the given packet. If the assumption is that the preprocessor will see a
reset for un-ack'd connections, then what happens if the reset is never
sent. I am thinking in terms of inbound connections which are dropped by a
router or firewall, which would leave the node tree with stale nodes. I am
seeing the avlnode count climb steadily throughout the day. I ran the
preprocessor with a single port (25) to limit the number of sessions that I
was watching which appeared t to grow and shrink as sessions completed. So
valid connections appear to work ok. Any ideas or thought on this?


More information about the Snort-devel mailing list