[Snort-devel] Active_Resume() not always being called after Active_Suspend()
mike.cox52 at ...2499...
Fri Dec 4 15:43:50 EST 2015
When pruning, the function Active_Suspend() gets called and alerts
generated during this time, when the sensor is in inline mode, are marked
as "Would Have Dropped". I am assuming that such events are ones that are
in the session that is being pruned.
When the pruning is done, the function Active_Resume() is called. However,
there is one case where that doesn't happen. Here is the code (
static int pruneSessionCache( void *sessionCache, uint32_t thetime, void
*save_me_session, int memCheck )
SessionControlBlock *save_me = ( SessionControlBlock * )
SessionCache *session_cache = ( SessionCache * ) sessionCache;
uint32_t pruned = 0;
if( thetime != 0 )
/* Pruning, look for sessions that have time'd out */
scb = ( SessionControlBlock * ) sfxhash_lru(
if( scb == NULL )
I think there should be this line before the highlighted "return 0;":
In fact if you look at earlier Snort versions like 2.9.6, it is there. It
looks like it was changed in 2.9.7. Was there a good reason that it was
removed or does it make sense to put it back? Please let me know since I
plan on making the change and rebuilding Snort for all my boxes.
Usually, at least I think, the scb shouldn't be NULL but if it is, the
sensor is stuck in Active_Suspend until prunes happen again.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel