[Snort-devel] Active_Resume() not always being called after Active_Suspend()

Russ rucombs at ...3461...
Sat Dec 5 05:14:29 EST 2015



On 12/5/15 3:07 AM, Nageswara Rao A.V.K (navk) wrote:
>
> Hi Mike,
>
> Change is not required.
>
> If you see the “pruneSessionCache” calling,  the same function being 
> called two times.
>
> If the “return 0” hits in first call, this flag will be resumed in 
> second call.
>
> Until the session pruning completes, we should not call 
> “*Active_Resume()*“.
>
It works as is but isn't future proof.  That should be updated as Mike 
suggests.

Thanks Mike.
Russ
>
> Regards,
>
> -ANR
>
> *From:*Mike Cox [mailto:mike.cox52 at ...2499...]
> *Sent:* Saturday, December 05, 2015 2:14 AM
> *To:* snort-devel at lists.sourceforge.net
> *Subject:* [Snort-devel] Active_Resume() not always being called after 
> Active_Suspend()
>
> When pruning, the function Active_Suspend() gets called and alerts 
> generated during this time, when the sensor is in inline mode, are 
> marked as "Would Have Dropped".  I am assuming that such events are 
> ones that are in the session that is being pruned.
>
> When the pruning is done, the function Active_Resume() is called.  
> However, there is one case where that doesn't happen.  Here is the 
> code (src/preprocessors/spp_session.c):
>
> static int pruneSessionCache( void *sessionCache, uint32_t thetime, 
> void *save_me_session, int memCheck )
> {
>     SessionControlBlock *save_me = ( SessionControlBlock  * ) 
> save_me_session;
>     SessionCache *session_cache = ( SessionCache * ) sessionCache;
>     SessionControlBlock *scb;
>     uint32_t pruned = 0;
>
> *Active_Suspend();*
>
>     if( thetime != 0 )
>     {
>         /* Pruning, look for sessions that have time'd out */
>         bool got_one;
>         scb = ( SessionControlBlock * ) sfxhash_lru( 
> session_cache->hashTable );
>
>         if( scb == NULL )
> return 0;
>
> I think there should be this line before the highlighted "return 0;":
>
> *Active_Resume();*
>
> In fact if you look at earlier Snort versions like 2.9.6, it is 
> there.  It looks like it was changed in 2.9.7.  Was there a good 
> reason that it was removed or does it make sense to put it back?  
> Please let me know since I plan on making the change and rebuilding 
> Snort for all my boxes.
>
> Usually, at least I think, the scb shouldn't be NULL but if it is, the 
> sensor is stuck in Active_Suspend until prunes happen again.
>
> Thanks.
>
> -Mike Cox
>
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20151205/fbc700cf/attachment.html>


More information about the Snort-devel mailing list