Daniel Roelker
Thu Jan 16 11:45:03 EST 2003

On 1/16/03 12:29 PM, "Lawrence Reed" <Lawrence.Reed at ...1489...> wrote:

> Dan,
> Thanks for your time at the Snort Users Group meeting last week.  I
> learned more about the 2.0 environment, and that helps me to make Snort
> more useful.

You're welcome.  I'm glad that it was helpful, and by the way thanks for
testing 2.0.

> I have been trying the perfstats preprocessor you discussed and have run
> into a couple of problems.
> First, I am trying to use the "file perfstats.csv" option to write the
> data to a file.  But the preprocessor does not use the pv.log_dir
> variable to set the path to the log file.  So snort cannot open this
> file.  I modified the perf.c code to include this, similar to
> spp_portscan2.c.  See diff below.

We want users to be able to put the performance statistics into any
directory that they would like to, not just the Snort logging directory.  So
what I'll do is add another parameter "snortfile <file>" that will let you
log into the snort directory directly.

> The second issue is with the sfBase->iTotalSessions variable, or more
> specifically with the call to AddStreamSession in spp_stream4.c.
> Is this variable the "number of current sessions"?  It looks like it is.
> However, the iTotalSessions variable increases without bound on my
> system.  While I think my system is a little busy, I don't believe that
> I have 1.6 million active sessions.    I think the problem is near line
> 1549 of spp_stream4.c.  Should AddStreamSession be called every time, or
> only if ssn is not null?  I have included a diff that makes this changes
> and produces numbers that seem better.

That change makes sense.  Chris or I will add it to cvs.

Thanks again for testing out 2.0 and for diagnosing the problems you were

Daniel Roelker
Software Engineer
droelker at ...402...


