[Snort-devel] Active_Resume() not always being called after Active_Suspend()

Nageswara Rao A.V.K (navk) navk at ...3461...
Sat Dec 5 03:07:53 EST 2015


Hi Mike,

   Change is not required.
If you see the “pruneSessionCache” calling,  the same function being called two times.
If the “return 0” hits in first call, this flag will be resumed in second call.

Until the session pruning completes, we should not call “Active_Resume() “.

Regards,
-ANR

From: Mike Cox [mailto:mike.cox52 at ...2499...]
Sent: Saturday, December 05, 2015 2:14 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Active_Resume() not always being called after Active_Suspend()

When pruning, the function Active_Suspend() gets called and alerts generated during this time, when the sensor is in inline mode, are marked as "Would Have Dropped".  I am assuming that such events are ones that are in the session that is being pruned.

When the pruning is done, the function Active_Resume() is called.  However, there is one case where that doesn't happen.  Here is the code (src/preprocessors/spp_session.c):

static int pruneSessionCache( void *sessionCache, uint32_t thetime, void *save_me_session, int memCheck )
{
    SessionControlBlock *save_me = ( SessionControlBlock  * ) save_me_session;
    SessionCache *session_cache = ( SessionCache * ) sessionCache;
    SessionControlBlock *scb;
    uint32_t pruned = 0;

    Active_Suspend();

    if( thetime != 0 )
    {
        /* Pruning, look for sessions that have time'd out */
        bool got_one;
        scb = ( SessionControlBlock * ) sfxhash_lru( session_cache->hashTable );

        if( scb == NULL )
            return 0;
I think there should be this line before the highlighted "return 0;":

Active_Resume();

In fact if you look at earlier Snort versions like 2.9.6, it is there.  It looks like it was changed in 2.9.7.  Was there a good reason that it was removed or does it make sense to put it back?  Please let me know since I plan on making the change and rebuilding Snort for all my boxes.

Usually, at least I think, the scb shouldn't be NULL but if it is, the sensor is stuck in Active_Suspend until prunes happen again.
Thanks.
-Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20151205/6fce093d/attachment.html>


More information about the Snort-devel mailing list