[Snort-devel] Active_Resume() not always being called after Active_Suspend()
rucombs at ...3461...
Sat Dec 5 05:14:29 EST 2015
On 12/5/15 3:07 AM, Nageswara Rao A.V.K (navk) wrote:
> Hi Mike,
> Change is not required.
> If you see the “pruneSessionCache” calling, the same function being
> called two times.
> If the “return 0” hits in first call, this flag will be resumed in
> second call.
> Until the session pruning completes, we should not call
It works as is but isn't future proof. That should be updated as Mike
> *From:*Mike Cox [mailto:mike.cox52 at ...2499...]
> *Sent:* Saturday, December 05, 2015 2:14 AM
> *To:* snort-devel at lists.sourceforge.net
> *Subject:* [Snort-devel] Active_Resume() not always being called after
> When pruning, the function Active_Suspend() gets called and alerts
> generated during this time, when the sensor is in inline mode, are
> marked as "Would Have Dropped". I am assuming that such events are
> ones that are in the session that is being pruned.
> When the pruning is done, the function Active_Resume() is called.
> However, there is one case where that doesn't happen. Here is the
> code (src/preprocessors/spp_session.c):
> static int pruneSessionCache( void *sessionCache, uint32_t thetime,
> void *save_me_session, int memCheck )
> SessionControlBlock *save_me = ( SessionControlBlock * )
> SessionCache *session_cache = ( SessionCache * ) sessionCache;
> SessionControlBlock *scb;
> uint32_t pruned = 0;
> if( thetime != 0 )
> /* Pruning, look for sessions that have time'd out */
> bool got_one;
> scb = ( SessionControlBlock * ) sfxhash_lru(
> session_cache->hashTable );
> if( scb == NULL )
> return 0;
> I think there should be this line before the highlighted "return 0;":
> In fact if you look at earlier Snort versions like 2.9.6, it is
> there. It looks like it was changed in 2.9.7. Was there a good
> reason that it was removed or does it make sense to put it back?
> Please let me know since I plan on making the change and rebuilding
> Snort for all my boxes.
> Usually, at least I think, the scb shouldn't be NULL but if it is, the
> sensor is stuck in Active_Suspend until prunes happen again.
> -Mike Cox
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel