[Snort-users] More on the Possible Mem leak

Fyodor fygrave at ...121...
Wed Apr 18 18:56:41 EDT 2001

On Wed, Apr 18, 2001 at 06:23:36PM -0400, Brian Caswell wrote:
> Steve Halligan wrote:
> > Apr 18 15:56:22 homefries snort: Snort received 1802179 packets
> > Apr 18 15:56:22 homefries snort:     TCP: 1828907    (101.001%)
> > PS.  101.001% TCP?  What up with that?
> I have not looked at the code to be sure, but the most logicaly
> explaination is that the streams preprocessor is injecting foobared
> packets into the stream.  
> I have noticed it on openbsd (Havn't tested on other platforms) that
> stream2 will pass on the original packets as well as the stream to the
> rest of the engine.  This would explain the additional packets that you
> are seeing.

That's actually how tcpstream reassembly piece works. I'd bet Chris would have
his own comment here, but generally speaking the preprocessor creates a 'fake'
packet out of reassembled code and then returns it to the detection module for

 * creates a buffer for each observed tcp stream.  upon seeing a RETURN
 * or receiving a maximum number of bytes, generate a packet containing
 * the reconstructed data
 Does the allocated memory piece grow constantly (i.g. today you have 34M, tomorrow 64M etc)
 or it sticks at 34M level? IMHO if your network load is more or less constant, allocated
 memory should stick at certain size... (just my silly theory in fact ;-))

More information about the Snort-users mailing list