[Snort-users] More on the Possible Mem leak

Martin Roesch roesch at ...421...
Wed Apr 18 22:16:37 EDT 2001


Question: how many people who are seeing memory leaks are using the
database plugin too?

    -Marty

Fyodor wrote:
> 
> On Wed, Apr 18, 2001 at 06:23:36PM -0400, Brian Caswell wrote:
> > Steve Halligan wrote:
> > > Apr 18 15:56:22 homefries snort: Snort received 1802179 packets
> >
> > > Apr 18 15:56:22 homefries snort:     TCP: 1828907    (101.001%)
> >
> > > PS.  101.001% TCP?  What up with that?
> >
> > I have not looked at the code to be sure, but the most logicaly
> > explaination is that the streams preprocessor is injecting foobared
> > packets into the stream.
> >
> > I have noticed it on openbsd (Havn't tested on other platforms) that
> > stream2 will pass on the original packets as well as the stream to the
> > rest of the engine.  This would explain the additional packets that you
> > are seeing.
> 
> That's actually how tcpstream reassembly piece works. I'd bet Chris would have
> his own comment here, but generally speaking the preprocessor creates a 'fake'
> packet out of reassembled code and then returns it to the detection module for
> analysis:
> 
>  *
>  * creates a buffer for each observed tcp stream.  upon seeing a RETURN
>  * or receiving a maximum number of bytes, generate a packet containing
>  * the reconstructed data
> 
> 
>  Does the allocated memory piece grow constantly (i.g. today you have 34M, tomorrow 64M etc)
>  or it sticks at 34M level? IMHO if your network load is more or less constant, allocated
>  memory should stick at certain size... (just my silly theory in fact ;-))
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list