Snort mailing list archives
Active_Resume() not always being called after Active_Suspend()
From: Mike Cox <mike.cox52 () gmail com>
Date: Fri, 4 Dec 2015 15:43:50 -0500
When pruning, the function Active_Suspend() gets called and alerts generated during this time, when the sensor is in inline mode, are marked as "Would Have Dropped". I am assuming that such events are ones that are in the session that is being pruned. When the pruning is done, the function Active_Resume() is called. However, there is one case where that doesn't happen. Here is the code ( src/preprocessors/spp_session.c): static int pruneSessionCache( void *sessionCache, uint32_t thetime, void *save_me_session, int memCheck ) { SessionControlBlock *save_me = ( SessionControlBlock * ) save_me_session; SessionCache *session_cache = ( SessionCache * ) sessionCache; SessionControlBlock *scb; uint32_t pruned = 0; *Active_Suspend();* if( thetime != 0 ) { /* Pruning, look for sessions that have time'd out */ bool got_one; scb = ( SessionControlBlock * ) sfxhash_lru( session_cache->hashTable ); if( scb == NULL ) return 0; I think there should be this line before the highlighted "return 0;": *Active_Resume();* In fact if you look at earlier Snort versions like 2.9.6, it is there. It looks like it was changed in 2.9.7. Was there a good reason that it was removed or does it make sense to put it back? Please let me know since I plan on making the change and rebuilding Snort for all my boxes. Usually, at least I think, the scb shouldn't be NULL but if it is, the sensor is stuck in Active_Suspend until prunes happen again. Thanks. -Mike Cox
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Active_Resume() not always being called after Active_Suspend() Mike Cox (Dec 04)
- Re: Active_Resume() not always being called after Active_Suspend() Nageswara Rao A.V.K (navk) (Dec 05)