[Snort-devel] [Resend] pb 100% cpu with stream4 in snort 1.9.0 build209...build230
rmkml at ...1042...
Wed Mar 5 08:12:13 EST 2003
my conf stream4 is : (default conf)
preprocessor stream4: detect_scans, disable_evasion_alerts
I start nmap (on other box) and scan (on other box) 65000 (example)
ports via tcp Syn...
Snort detect scan, and stream4 start allocate memory (default stream4
memcap : 8 388 608),
when 8M is not fill, snort use 20-60% cpu (and 100%cpu during 1s),
when 8M is fill, snort use 100% cpu during 5s ! (and drop 30% pcap
packet, and Stream4
Memory Faults ...)
I use Freebsd 4.7Release.
Do you have same pb on Linux ?
I found my pb in src/preprocessors/spp_stream4.c : snort 1.9.0build230
666 if(stream4_memory_usage > s4data.memcap)
670 if(!PruneSessionCache((u_int32_t)tv_sec, 0, ssn))
672 /* if we can't prune due to time, just nuke 5 random sessions */
673 PruneSessionCache(0, 5, ssn);
If I comment 666-675, Im not pb,
If I comment 670-674, Im not pb,
If I comment only 673, I have pb ! (100%cpu)
Please, Could you me explain line 670 ?
and why this line use 100% cpu ? (when memcap is fill)
Sorry for my bad English.
More information about the Snort-devel