[Snort-users] More on the Possible Mem leak
roesch at ...421...
Wed Apr 18 22:16:37 EDT 2001
Question: how many people who are seeing memory leaks are using the
database plugin too?
> On Wed, Apr 18, 2001 at 06:23:36PM -0400, Brian Caswell wrote:
> > Steve Halligan wrote:
> > > Apr 18 15:56:22 homefries snort: Snort received 1802179 packets
> > > Apr 18 15:56:22 homefries snort: TCP: 1828907 (101.001%)
> > > PS. 101.001% TCP? What up with that?
> > I have not looked at the code to be sure, but the most logicaly
> > explaination is that the streams preprocessor is injecting foobared
> > packets into the stream.
> > I have noticed it on openbsd (Havn't tested on other platforms) that
> > stream2 will pass on the original packets as well as the stream to the
> > rest of the engine. This would explain the additional packets that you
> > are seeing.
> That's actually how tcpstream reassembly piece works. I'd bet Chris would have
> his own comment here, but generally speaking the preprocessor creates a 'fake'
> packet out of reassembled code and then returns it to the detection module for
> * creates a buffer for each observed tcp stream. upon seeing a RETURN
> * or receiving a maximum number of bytes, generate a packet containing
> * the reconstructed data
> Does the allocated memory piece grow constantly (i.g. today you have 34M, tomorrow 64M etc)
> or it sticks at 34M level? IMHO if your network load is more or less constant, allocated
> memory should stick at certain size... (just my silly theory in fact ;-))
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users