Snort mailing list archives
Active_Resume() not always being called after Active_Suspend()
From: Mike Cox <mike.cox52 () gmail com>
Date: Fri, 4 Dec 2015 15:43:50 -0500
When pruning, the function Active_Suspend() gets called and alerts
generated during this time, when the sensor is in inline mode, are marked
as "Would Have Dropped". I am assuming that such events are ones that are
in the session that is being pruned.
When the pruning is done, the function Active_Resume() is called. However,
there is one case where that doesn't happen. Here is the code (
src/preprocessors/spp_session.c):
static int pruneSessionCache( void *sessionCache, uint32_t thetime, void
*save_me_session, int memCheck )
{
SessionControlBlock *save_me = ( SessionControlBlock * )
save_me_session;
SessionCache *session_cache = ( SessionCache * ) sessionCache;
SessionControlBlock *scb;
uint32_t pruned = 0;
*Active_Suspend();*
if( thetime != 0 )
{
/* Pruning, look for sessions that have time'd out */
bool got_one;
scb = ( SessionControlBlock * ) sfxhash_lru(
session_cache->hashTable );
if( scb == NULL )
return 0;
I think there should be this line before the highlighted "return 0;":
*Active_Resume();*
In fact if you look at earlier Snort versions like 2.9.6, it is there. It
looks like it was changed in 2.9.7. Was there a good reason that it was
removed or does it make sense to put it back? Please let me know since I
plan on making the change and rebuilding Snort for all my boxes.
Usually, at least I think, the scb shouldn't be NULL but if it is, the
sensor is stuck in Active_Suspend until prunes happen again.
Thanks.
-Mike Cox
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Active_Resume() not always being called after Active_Suspend() Mike Cox (Dec 04)
- Re: Active_Resume() not always being called after Active_Suspend() Nageswara Rao A.V.K (navk) (Dec 05)