[Snort-devel] Bug in stream5 global - prune_log_max <bytes>

Gregory S Thomas greg.thomas at ...3372...
Wed Mar 13 17:38:16 EDT 2013


I ran into the same problem with 2.9.4 and reported it to the list last month, but the fix did not make it into 2.9.4.1.  Here is the previous message I sent:

> Date: Tue, 19 Feb 2013 17:40:35 -0800
> From: Gregory S Thomas <greg.thomas at ...3372...>
> Subject: [Snort-devel] stream5 prune_log_max fix
> To: snort-devel at lists.sourceforge.net
>
> The documentation (snort-2.9.4/doc/README.stream5) says that setting prune_log_max to 0 disables the messages, > but this does not work.  The source code implements it correctly in one place
>(snort-2.9.4/src/preprocessors/Stream5/snort_stream5_session.c):
>
>  558     if (prune_log_max
>  559             && ((old_mem_in_use - mem_in_use ) > prune_log_max))
>
> but not in the second place (snort-2.9.4/src/preprocessors/Stream5/snort_stream5_tcp.c):
>
> 4582 #define POST_SESSION_CLEANUP(delete_reason) \
> 4583     if ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max) \
>
> Changing the code as shown below appears to fix the problem:
>
> 4583     if (s5_global_eval_config->prune_log_max && ((old_mem_in_use - mem_in_use )
>              > s5_global_eval_config->prune_log_max)) \
>
> Please consider incorporating this fix into a future version of snort.
>
> Thanks,
>
> Greg Thomas

Here is a patch for 2.9.4.1:

shell> env LC_ALL=C TZ=UTC0 diff -aur snort-2.9.4.1 snort-2.9.4.1.patched
diff -aur snort-2.9.4.1/src/preprocessors/Stream5/snort_stream5_tcp.c snort-2.9.4.1.patched/src/preprocessors/Stream5/snort_stream5_tcp.c
--- snort-2.9.4.1/src/preprocessors/Stream5/snort_stream5_tcp.c 2013-02-19 22:14:24.000000000 +0000
+++ snort-2.9.4.1.patched/src/preprocessors/Stream5/snort_stream5_tcp.c 2013-03-13 21:31:16.000000000 +0000
@@ -4630,7 +4630,7 @@
      sfip_set_ip(&server_ip, &lwssn->server_ip);
  
  #define POST_SESSION_CLEANUP(delete_reason) \
-    if ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max) \
+    if (s5_global_eval_config->prune_log_max && ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max)) \
      { \
          char *client_ip_str, *server_ip_str; \
          client_ip_str = SnortStrdup(inet_ntoa(&client_ip)); \

Please add this to the next version of snort.

Thanks,

Greg Thomas

-----Original Message-----
Date: Wed, 13 Mar 2013 13:42:35 +0100 (CET)
From: elof at ...969...
Subject: [Snort-devel] Bug in stream5 global - prune_log_max <bytes>
To: snort-devel mailinglist <snort-devel at lists.sourceforge.net>, bugs at ...835...

Hi!

Just wanted to report a bug.

The README.stream5 and manual states that setting 'prune_log_max' to 0
should disable logging completely.
This is not the case. Instead I get LOTS of logs, for sessions that are
using just a few bytes.
(the default if not specifying any 'prune_log_max' at all is to only log
a message if a terminated session used more than 1 MB of data)

preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no,
max_tcp 262144, max_udp 131072, max_active_responses 2,
min_response_seconds 5, prune_log_max 0, memcap 640578048

Result: My syslog spew out these lines at a high rate:

Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that
was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 47045
(0) : LWstate 0xc8 LWFlags 0x416107
[similar lines elided]

/Elof





More information about the Snort-devel mailing list