-----BEGIN PGP SIGNED MESSAGE-----
On Jul 24, 2006, at 11:37 AM, Frank Knobbe wrote:
> On Sun, 2006-07-23 at 23:34 -0400, Jason wrote:
>> \"This will cause Stream4 to zero out the memory of the
>> rebuilt packet before copying in the new data. So, when
>> packets are missing from the middle of the rebuilt packet,
>> you'll get 0x00 in those bytes, rather than whatever was
>> there from the previous rebuild."
>> The problem is packet loss. A single buffer is used for
>> reassembly. If
>> you are missing packets when reassembly is done then the old data is
>> still in the gaps...
> Yeah, I remember that we've discussed that before now :)
> But a question comes to mind: When Snort reassembles the stream,
> shouldn't it be able to tell which segments are reassembled and which
> not? Snort should be able to fill the first segment, the third
> the fourth segment, and then realize that it never got the second
> segment, then null just that before sending the packet to the matching
> Nulling the whole buffer before reassembly seems like a waste of
> resources, which is probably why a lot of folks don't turn it on. I
> believe you guys even warned about the performance impact.
> To me, the solution would seem to write the stream4 such that is
> recognizes a missing segment and nulls just that. From a performance
> standpoint, it should require as much as copying an existing segment
> into the stream.
I think doing successive 32-bit sequence-number-safe (i.e. wrap safe)
compares and memset()'s to clear out the gaps would probably not save
us any time and would probably cost us clock cycles to perform as
opposed to just memset()'ing the whole stream buffer (which is a
dynamic value anyway and should be less than 64k typically). Once
you factor in the compares and the function call overhead I
intuitively believe (with no evidence other than my gut) that just
zeroing the reassembly buffer is the best way to handle it and the
least error prone (one line of code).
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
-----END PGP SIGNATURE-----