[Snort-devel] Stream3 preprocessor question.

william.c.gercken at ...350... william.c.gercken at ...350...
Wed May 16 15:47:53 EDT 2001


Never mind, I see where TcpStream3PruneTree() should do the job just fine.

-bill



                                                                                                                                              
                    william.c.gercken at ...350...                                                                                              
                    Sent by:                             To:     snort-devel at lists.sourceforge.net                                            
                    snort-devel-admin at ...424...        cc:                                                                                  
                    eforge.net                           Subject:     [Snort-devel] Stream3 preprocessor question.                            
                                                                                                                                              
                                                                                                                                              
                    05/15/2001 01:40 PM                                                                                                       
                                                                                                                                              
                                                                                                                                              





Question:

Looking at the code in TcpStream3Packet(), I do not see where this version
(spp_tcp_stream3) of the preprocessor will remove unused nodes after the
timeout. TcpStream3PruneTree() appears to focus on pruning nodes related to
the given packet. If the assumption is that the preprocessor will see a
reset for un-ack'd connections, then what happens if the reset is never
sent. I am thinking in terms of inbound connections which are dropped by a
router or firewall, which would leave the node tree with stale nodes. I am
seeing the avlnode count climb steadily throughout the day. I ran the
preprocessor with a single port (25) to limit the number of sessions that I
was watching which appeared t to grow and shrink as sessions completed. So
valid connections appear to work ok. Any ideas or thought on this?

Regards,
-bill


_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel







More information about the Snort-devel mailing list