[Snort-devel] Stream3 preprocessor question

Christopher E. Cramer chris.cramer at ...219...
Fri May 18 17:32:45 EDT 2001


it may be a bit worse than that.  stream3 broke some of correct error
checking mechanisms in the tcp reconstruction.

marty and i talked about a little of this and there are some solutions
that have not yet been implemented.  the biggest problem is that the
stream and stream2 processors used the ACK to decide when data had been
officially and correctly received by the destination.  there are also a
few problems w/ stream3 regarding when to send out packets.
stream/stream2 used CR or LF to do this.  This probably isn't right.
stream3 uses 2*max_pattern which unfortunately also is not correct.  I
believe that the correct way of doing this may involve possibly sending
some subset of the data through the detection engine twice in order to be
certain that the detection engine sees a complete pattern.  i'll try and
work on these issues over the weekend.

also, i've been running stream2 now for well over a week on my gigabit
feed.  i don't see any memory leaks and i haven't had any problems.  i
would suggest that stream be completely depricated in favor of stream2
until such a time as we can work out all of the bugs in stream3.
(essentially, blow away stream and rename the stream2 stuff as stream)
thoughts?

-chris

On Fri, 18 May 2001 william.c.gercken at ...350... wrote:

> Date: Fri, 18 May 2001 09:00:16 -0400
> From: william.c.gercken at ...350...
> To: Storms of Perfection <ancient at ...396...>
> Cc: snort-devel at lists.sourceforge.net,
>      snort-devel-admin at lists.sourceforge.net
> Subject: Re: [Snort-devel] Stream3 preprocessor question
>
>
> The jury is still out. Marty has not had a chance to look at the patches as
> of yet and the changes have not been made to CVS. He indicated that he may
> have any chance over the weekend. The version in CVS still has a leak. It
> is getting closer though.
>
> -bill
>
>
>
>
>                     Storms of Perfection
>                     <ancient at ...396...>                To:     snort-devel at lists.sourceforge.net
>                     Sent by:                             cc:
>                     snort-devel-admin at ...424...        Subject:     [Snort-devel] Stream3 preprocessor question
>                     eforge.net
>
>
>                     05/18/2001 05:45 AM
>
>
>
>
>
>
> Is it safe to use without any memory leaks? Last time I tried the code, it
> grinded my freebsd machine to a halt (ran out of both memory and swap)
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
>






More information about the Snort-devel mailing list