Snort mailing list archives
Re: Bug in stream5 global - prune_log_max <bytes>
From: Gregory S Thomas <greg.thomas () pnnl gov>
Date: Wed, 13 Mar 2013 14:38:16 -0700
I ran into the same problem with 2.9.4 and reported it to the list last month, but the fix did not make it into 2.9.4.1. Here is the previous message I sent:
Date: Tue, 19 Feb 2013 17:40:35 -0800 From: Gregory S Thomas <greg.thomas () pnnl gov> Subject: [Snort-devel] stream5 prune_log_max fix To: snort-devel () lists sourceforge net The documentation (snort-2.9.4/doc/README.stream5) says that setting prune_log_max to 0 disables the messages, > but this does not work. The source code implements it correctly in one place (snort-2.9.4/src/preprocessors/Stream5/snort_stream5_session.c): 558 if (prune_log_max 559 && ((old_mem_in_use - mem_in_use ) > prune_log_max)) but not in the second place (snort-2.9.4/src/preprocessors/Stream5/snort_stream5_tcp.c): 4582 #define POST_SESSION_CLEANUP(delete_reason) \ 4583 if ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max) \ Changing the code as shown below appears to fix the problem: 4583 if (s5_global_eval_config->prune_log_max && ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max)) \ Please consider incorporating this fix into a future version of snort. Thanks, Greg Thomas
Here is a patch for 2.9.4.1: shell> env LC_ALL=C TZ=UTC0 diff -aur snort-2.9.4.1 snort-2.9.4.1.patched diff -aur snort-2.9.4.1/src/preprocessors/Stream5/snort_stream5_tcp.c snort-2.9.4.1.patched/src/preprocessors/Stream5/snort_stream5_tcp.c --- snort-2.9.4.1/src/preprocessors/Stream5/snort_stream5_tcp.c 2013-02-19 22:14:24.000000000 +0000 +++ snort-2.9.4.1.patched/src/preprocessors/Stream5/snort_stream5_tcp.c 2013-03-13 21:31:16.000000000 +0000 @@ -4630,7 +4630,7 @@ sfip_set_ip(&server_ip, &lwssn->server_ip); #define POST_SESSION_CLEANUP(delete_reason) \ - if ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max) \ + if (s5_global_eval_config->prune_log_max && ((old_mem_in_use - mem_in_use ) > s5_global_eval_config->prune_log_max)) \ { \ char *client_ip_str, *server_ip_str; \ client_ip_str = SnortStrdup(inet_ntoa(&client_ip)); \ Please add this to the next version of snort. Thanks, Greg Thomas -----Original Message----- Date: Wed, 13 Mar 2013 13:42:35 +0100 (CET) From: elof () sentor se Subject: [Snort-devel] Bug in stream5 global - prune_log_max <bytes> To: snort-devel mailinglist <snort-devel () lists sourceforge net>, bugs () snort org Hi! Just wanted to report a bug. The README.stream5 and manual states that setting 'prune_log_max' to 0 should disable logging completely. This is not the case. Instead I get LOTS of logs, for sessions that are using just a few bytes. (the default if not specifying any 'prune_log_max' at all is to only log a message if a terminated session used more than 1 MB of data) preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5, prune_log_max 0, memcap 640578048 Result: My syslog spew out these lines at a high rate: Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 47045 (0) : LWstate 0xc8 LWFlags 0x416107 [similar lines elided] /Elof ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bug in stream5 global - prune_log_max <bytes> elof (Mar 13)
- <Possible follow-ups>
- Re: Bug in stream5 global - prune_log_max <bytes> Gregory S Thomas (Mar 13)
- Re: Bug in stream5 global - prune_log_max <bytes> Bhagya Bantwal (Mar 13)