[Snort-devel] Active_Resume() not always being called after Active_Suspend()
Nageswara Rao A.V.K (navk)
navk at ...3461...
Sat Dec 5 03:07:53 EST 2015
Change is not required.
If you see the “pruneSessionCache” calling, the same function being called two times.
If the “return 0” hits in first call, this flag will be resumed in second call.
Until the session pruning completes, we should not call “Active_Resume() “.
From: Mike Cox [mailto:mike.cox52 at ...2499...]
Sent: Saturday, December 05, 2015 2:14 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Active_Resume() not always being called after Active_Suspend()
When pruning, the function Active_Suspend() gets called and alerts generated during this time, when the sensor is in inline mode, are marked as "Would Have Dropped". I am assuming that such events are ones that are in the session that is being pruned.
When the pruning is done, the function Active_Resume() is called. However, there is one case where that doesn't happen. Here is the code (src/preprocessors/spp_session.c):
static int pruneSessionCache( void *sessionCache, uint32_t thetime, void *save_me_session, int memCheck )
SessionControlBlock *save_me = ( SessionControlBlock * ) save_me_session;
SessionCache *session_cache = ( SessionCache * ) sessionCache;
uint32_t pruned = 0;
if( thetime != 0 )
/* Pruning, look for sessions that have time'd out */
scb = ( SessionControlBlock * ) sfxhash_lru( session_cache->hashTable );
if( scb == NULL )
I think there should be this line before the highlighted "return 0;":
In fact if you look at earlier Snort versions like 2.9.6, it is there. It looks like it was changed in 2.9.7. Was there a good reason that it was removed or does it make sense to put it back? Please let me know since I plan on making the change and rebuilding Snort for all my boxes.
Usually, at least I think, the scb shouldn't be NULL but if it is, the sensor is stuck in Active_Suspend until prunes happen again.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel