[Snort-devel] Stream3 preprocessor question

Bill Gercken bgercken at ...351...
Fri May 18 22:36:54 EDT 2001


I was able to clean up some of the bugs in the avl_tree code, which was
causing leaks. I will clean this up and provide a diff against the current
CVS for what it is worth. There were also some other minor changes to the
spp_tcp_stream3 code as well. Let me know if I can help in any way.

-bill

-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Christopher
E. Cramer
Sent: Friday, May 18, 2001 5:33 PM
To: william.c.gercken at ...350...
Cc: Storms of Perfection; snort-dev
Subject: Re: [Snort-devel] Stream3 preprocessor question



it may be a bit worse than that.  stream3 broke some of correct error
checking mechanisms in the tcp reconstruction.

marty and i talked about a little of this and there are some solutions
that have not yet been implemented.  the biggest problem is that the
stream and stream2 processors used the ACK to decide when data had been
officially and correctly received by the destination.  there are also a
few problems w/ stream3 regarding when to send out packets.
stream/stream2 used CR or LF to do this.  This probably isn't right.
stream3 uses 2*max_pattern which unfortunately also is not correct.  I
believe that the correct way of doing this may involve possibly sending
some subset of the data through the detection engine twice in order to be
certain that the detection engine sees a complete pattern.  i'll try and
work on these issues over the weekend.

also, i've been running stream2 now for well over a week on my gigabit
feed.  i don't see any memory leaks and i haven't had any problems.  i
would suggest that stream be completely depricated in favor of stream2
until such a time as we can work out all of the bugs in stream3.
(essentially, blow away stream and rename the stream2 stuff as stream)
thoughts?

-chris

On Fri, 18 May 2001 william.c.gercken at ...350... wrote:

> Date: Fri, 18 May 2001 09:00:16 -0400
> From: william.c.gercken at ...350...
> To: Storms of Perfection <ancient at ...396...>
> Cc: snort-devel at lists.sourceforge.net,
>      snort-devel-admin at lists.sourceforge.net
> Subject: Re: [Snort-devel] Stream3 preprocessor question
>
>
> The jury is still out. Marty has not had a chance to look at the patches
as
> of yet and the changes have not been made to CVS. He indicated that he may
> have any chance over the weekend. The version in CVS still has a leak. It
> is getting closer though.
>
> -bill
>
>
>
>
>                     Storms of Perfection
>                     <ancient at ...396...>                To:
snort-devel at lists.sourceforge.net
>                     Sent by:                             cc:
>                     snort-devel-admin at ...424...        Subject:
[Snort-devel] Stream3 preprocessor question
>                     eforge.net
>
>
>                     05/18/2001 05:45 AM
>
>
>
>
>
>
> Is it safe to use without any memory leaks? Last time I tried the code, it
> grinded my freebsd machine to a halt (ran out of both memory and swap)
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
>



_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list