Snort mailing list archives
Re: Active_Resume() not always being called after Active_Suspend()
From: Russ <rucombs () cisco com>
Date: Sat, 5 Dec 2015 05:14:29 -0500
On 12/5/15 3:07 AM, Nageswara Rao A.V.K (navk) wrote:
It works as is but isn't future proof. That should be updated as Mike suggests.Hi Mike, Change is not required.If you see the “pruneSessionCache” calling, the same function being called two times.If the “return 0” hits in first call, this flag will be resumed in second call.Until the session pruning completes, we should not call “*Active_Resume()*“.
Thanks Mike. Russ
Regards, -ANR *From:*Mike Cox [mailto:mike.cox52 () gmail com] *Sent:* Saturday, December 05, 2015 2:14 AM *To:* snort-devel () lists sourceforge net*Subject:* [Snort-devel] Active_Resume() not always being called after Active_Suspend()When pruning, the function Active_Suspend() gets called and alerts generated during this time, when the sensor is in inline mode, are marked as "Would Have Dropped". I am assuming that such events are ones that are in the session that is being pruned.When the pruning is done, the function Active_Resume() is called. However, there is one case where that doesn't happen. Here is the code (src/preprocessors/spp_session.c):static int pruneSessionCache( void *sessionCache, uint32_t thetime, void *save_me_session, int memCheck ){SessionControlBlock *save_me = ( SessionControlBlock * ) save_me_session;SessionCache *session_cache = ( SessionCache * ) sessionCache; SessionControlBlock *scb; uint32_t pruned = 0; *Active_Suspend();* if( thetime != 0 ) { /* Pruning, look for sessions that have time'd out */ bool got_one;scb = ( SessionControlBlock * ) sfxhash_lru( session_cache->hashTable );if( scb == NULL ) return 0; I think there should be this line before the highlighted "return 0;": *Active_Resume();*In fact if you look at earlier Snort versions like 2.9.6, it is there. It looks like it was changed in 2.9.7. Was there a good reason that it was removed or does it make sense to put it back? Please let me know since I plan on making the change and rebuilding Snort for all my boxes.Usually, at least I think, the scb shouldn't be NULL but if it is, the sensor is stuck in Active_Suspend until prunes happen again.Thanks. -Mike Cox ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Active_Resume() not always being called after Active_Suspend() Mike Cox (Dec 04)
- Re: Active_Resume() not always being called after Active_Suspend() Nageswara Rao A.V.K (navk) (Dec 05)
- Re: Active_Resume() not always being called after Active_Suspend() Russ (Dec 05)
- Re: Active_Resume() not always being called after Active_Suspend() Nageswara Rao A.V.K (navk) (Dec 05)