[Snort-devel] question about a change made.

Chris Green cmg at ...402...
Mon Jun 10 08:27:10 EDT 2002

"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> This question relates to the last update made to stream4.   The wonderful
> CVS page showed this change, which made me a little curious.  If you've set
> asynchronus_link, then wouldn't you want to call the one that handled Async?
> I've pasted a bit of the code from TcpActionAsync... It appears to be the
> only major difference between TcpAction and TcpActionAsync is what i've put
> below...

Thats the thing I just updated so the Async one is called at the
correct time and not otherwise.  Do you see it being different than
that?  If so, please show a line number :)
> Also, if that's the only difference in code... why not just make
> TcpActionAsync call TcpAction after it's run that one difference before it?
> Would save you from having to update code in multiple places when you had to
> make a change...

Right now, the difference is trivial and the client side will just
treat what it's seen as acked ( so it's vulnerable to overlapping
attacks ).  Eventually, better detection of this on the async side
will be needed and the approach to it will be vastly different than
the state machine that we use for the normal case.

The async one shouldn't be used if you can help it but some people
have to put IDS on lines they can only see 1/2 the traffic and some is
better than nothing.
Chris Green <cmg at ...402...>
"Yeah, but you're taking the universe out of context."

More information about the Snort-devel mailing list