[Snort-devel] [Resend] pb 100% cpu with stream4 in snort 1.9.0 build209...build230

rmkml rmkml at ...1042...
Wed Mar 5 08:12:13 EST 2003


Hi,

my conf stream4 is : (default conf)
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble

I start nmap (on other box) and scan (on other box) 65000 (example)
ports via tcp Syn...

Snort detect scan, and stream4 start allocate memory (default stream4
memcap : 8 388 608),

when 8M is not fill, snort use 20-60% cpu (and 100%cpu during 1s),

when 8M is fill, snort use 100% cpu during 5s ! (and drop 30% pcap
packet, and Stream4

Memory Faults ...)

I use Freebsd 4.7Release.

Do you have same pb on Linux ?

I found my pb in src/preprocessors/spp_stream4.c : snort 1.9.0build230

666 if(stream4_memory_usage > s4data.memcap)
667 {
668    pc.str_mem_faults++;
670    if(!PruneSessionCache((u_int32_t)tv_sec, 0, ssn))
671    {
672 /* if we can't prune due to time, just nuke 5 random sessions */
673      PruneSessionCache(0, 5, ssn);
674    }
675  }

If I comment 666-675, Im not pb,

If I comment 670-674, Im not pb,

If I comment only 673, I have pb ! (100%cpu)

Please, Could you me explain line 670 ?
and why this line use 100% cpu ? (when memcap is fill)
Patch ?

Sorry for my bad English.

Regards.





More information about the Snort-devel mailing list