[Snort-devel] Active_Resume() not always being called after Active_Suspend()

Mike Cox mike.cox52 at ...2499...
Fri Dec 4 15:43:50 EST 2015


When pruning, the function Active_Suspend() gets called and alerts
generated during this time, when the sensor is in inline mode, are marked
as "Would Have Dropped".  I am assuming that such events are ones that are
in the session that is being pruned.

When the pruning is done, the function Active_Resume() is called.  However,
there is one case where that doesn't happen.  Here is the code (
src/preprocessors/spp_session.c):

static int pruneSessionCache( void *sessionCache, uint32_t thetime, void
*save_me_session, int memCheck )
{
    SessionControlBlock *save_me = ( SessionControlBlock  * )
save_me_session;
    SessionCache *session_cache = ( SessionCache * ) sessionCache;
    SessionControlBlock *scb;
    uint32_t pruned = 0;

    *Active_Suspend();*

    if( thetime != 0 )
    {
        /* Pruning, look for sessions that have time'd out */
        bool got_one;
        scb = ( SessionControlBlock * ) sfxhash_lru(
session_cache->hashTable );

        if( scb == NULL )
            return 0;

I think there should be this line before the highlighted "return 0;":

*Active_Resume();*

In fact if you look at earlier Snort versions like 2.9.6, it is there.  It
looks like it was changed in 2.9.7.  Was there a good reason that it was
removed or does it make sense to put it back?  Please let me know since I
plan on making the change and rebuilding Snort for all my boxes.

Usually, at least I think, the scb shouldn't be NULL but if it is, the
sensor is stuck in Active_Suspend until prunes happen again.

Thanks.

-Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20151204/a826e125/attachment.html>


More information about the Snort-devel mailing list