[Snort-devel] Stream4 woes ??
Lawrence.Reed at ...1489...
Tue Mar 11 06:27:24 EST 2003
Chris Green wrote:
>"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:
>>Packet loss can probably cause this. Are you dropping any packets?
>Just to clarify what he's refering to is snort having "holes" in the
>sequence numbers where it's has a dirty buffer that is used for
>holding the stream packet data.
In addition to a dirty buffer from the holes, some of real data in the
stream is discarded. When packets are missed the reassembled stream is
not the right size, according to the sequence numbers. To work around
the size mismatch the end of the packet is truncated. By defination the
end of the packet contains real data. Therefore you are losing that
data and processing garbage.
>To test this, try seeing if adding a
>bzero(stream_pkt->pkt, 2048); to line 3584 of spp_stream4.c and
>running snort again. If they all go away, it's packet loss. Try a
>smaller ruleset, increasing your memcaps, or CVS HEAD.
Please only use this as a test, the only real solution is to not drop
Larry Reed Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772
More information about the Snort-devel