[Snort-devel] Bug in stream5 global - prune_log_max <bytes>

Bhagya Bantwal bbantwal at ...402...
Wed Mar 13 18:41:07 EDT 2013


Elof and Gregory,

A bug has been filed to track this issue. Thank you for reporting this issue.

-B

On Wed, Mar 13, 2013 at 5:38 PM, Gregory S Thomas <greg.thomas at ...3372...> wrote:
> I ran into the same problem with 2.9.4 and reported it to the list last month, but the fix did not make it into 2.9.4.1.  Here is the previous message I sent:
>
>> Date: Tue, 19 Feb 2013 17:40:35 -0800
>> From: Gregory S Thomas <greg.thomas at ...3372...>
>> Subject: [Snort-devel] stream5 prune_log_max fix
>> To: snort-devel at lists.sourceforge.net
>>
>> The documentation (snort-2.9.4/doc/README.stream5) says that setting prune_log_max to 0 disables the messages, > but this does not work.  The source code implements it correctly in one place
>>(snort-2.9.4/src/preprocessors/Stream5/snort_stream5_session.c):
>>
>>  558     if (prune_log_max
>>  559             && ((old_mem_in_use - mem_in_use ) > prune_log_max))
>>
>> but not in the second place (snort-2.9.4/src/preprocessors/Stream5/snort_stream5_tcp.c):
>>
>> 4582 #define POST_SESSION_CLEANUP(delete_reason) \
>> 4583     if ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max) \
>>
>> Changing the code as shown below appears to fix the problem:
>>
>> 4583     if (s5_global_eval_config->prune_log_max && ((old_mem_in_use - mem_in_use )
>>              > s5_global_eval_config->prune_log_max)) \
>>
>> Please consider incorporating this fix into a future version of snort.
>>
>> Thanks,
>>
>> Greg Thomas
>
> Here is a patch for 2.9.4.1:
>
> shell> env LC_ALL=C TZ=UTC0 diff -aur snort-2.9.4.1 snort-2.9.4.1.patched
> diff -aur snort-2.9.4.1/src/preprocessors/Stream5/snort_stream5_tcp.c snort-2.9.4.1.patched/src/preprocessors/Stream5/snort_stream5_tcp.c
> --- snort-2.9.4.1/src/preprocessors/Stream5/snort_stream5_tcp.c 2013-02-19 22:14:24.000000000 +0000
> +++ snort-2.9.4.1.patched/src/preprocessors/Stream5/snort_stream5_tcp.c 2013-03-13 21:31:16.000000000 +0000
> @@ -4630,7 +4630,7 @@
>       sfip_set_ip(&server_ip, &lwssn->server_ip);
>
>   #define POST_SESSION_CLEANUP(delete_reason) \
> -    if ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max) \
> +    if (s5_global_eval_config->prune_log_max && ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max)) \
>       { \
>           char *client_ip_str, *server_ip_str; \
>           client_ip_str = SnortStrdup(inet_ntoa(&client_ip)); \
>
> Please add this to the next version of snort.
>
> Thanks,
>
> Greg Thomas
>
> -----Original Message-----
> Date: Wed, 13 Mar 2013 13:42:35 +0100 (CET)
> From: elof at ...969...
> Subject: [Snort-devel] Bug in stream5 global - prune_log_max <bytes>
> To: snort-devel mailinglist <snort-devel at lists.sourceforge.net>, bugs at ...835...
>
> Hi!
>
> Just wanted to report a bug.
>
> The README.stream5 and manual states that setting 'prune_log_max' to 0
> should disable logging completely.
> This is not the case. Instead I get LOTS of logs, for sessions that are
> using just a few bytes.
> (the default if not specifying any 'prune_log_max' at all is to only log
> a message if a terminated session used more than 1 MB of data)
>
> preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no,
> max_tcp 262144, max_udp 131072, max_active_responses 2,
> min_response_seconds 5, prune_log_max 0, memcap 640578048
>
> Result: My syslog spew out these lines at a high rate:
>
> Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that
> was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 47045
> (0) : LWstate 0xc8 LWFlags 0x416107
> [similar lines elided]
>
> /Elof
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list