[Snort-devel] pb 100% cpu with stream4 in snort 1.9.0 build209...build230
rmkml at ...1042...
Sun Mar 2 15:18:39 EST 2003
my conf stream4 is : (default conf)
preprocessor stream4: detect_scans, disable_evasion_alerts
I start nmap (on other box) and scan (on other box) 65000 (example)
ports via tcp Syn...
Snort detect scan, and stream4 start allocate memory (default stream4
memcap : 8 388 608),
when 8M is not full, snort use 20-60% cpu,
when 8M is full, snort use 100% cpu ! (and drop pcap packet, and Stream4
Memory Faults ...)
I use Freebsd 4.7Release.
Do you have same pb on Linux ?
I found my pb in src/preprocessors/spp_stream4.c : snort 1.9.0build230
666 if(stream4_memory_usage > s4data.memcap)
670 if(!PruneSessionCache((u_int32_t)tv_sec, 0, ssn))
672 /* if we can't prune due to time, just nuke 5 random sessions */
673 PruneSessionCache(0, 5, ssn);
If I comment 666-675, Im not pb,
If I comment 670-674, Im not pb,
If I comment only 673, I have pb ! (100%cpu)
Please, Could you me explain line 670 ?
and why this line use 100% cpu ? (when memcap is full)
Sorry for my bad English.
More information about the Snort-devel