[Snort-devel] Stream4 woes ??

Lawrence Reed Lawrence.Reed at ...1489...
Tue Mar 11 06:27:24 EST 2003


More clarification.  

Chris Green wrote:

>"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:
>
>  
>
>>Russell,
>>Packet loss can probably cause this.  Are you dropping any packets?
>>    
>>
>
>Just to clarify what he's refering to is snort having "holes" in the
>sequence numbers where it's has a dirty buffer that is used for
>holding the stream packet data.
>  
>
In addition to a dirty buffer from the holes, some of real data in the 
stream is discarded.  When packets are missed the reassembled stream is 
not the right size, according to the sequence numbers.  To work around 
the size mismatch the end of the packet is truncated.  By defination the 
end of the packet contains real data.  Therefore you are losing that 
data and processing garbage.

>To test this, try seeing if adding a
>
>bzero(stream_pkt->pkt, 2048); to line 3584 of spp_stream4.c and
>running snort again.  If they all go away, it's packet loss. Try a
>smaller ruleset, increasing your memcaps, or CVS HEAD.
>
>  
>
Please only use this as a test,  the only real solution is to not drop 
packets.  

-- 
Larry Reed  Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772







More information about the Snort-devel mailing list