Menu
▾
▴
Re: [Snort-inline-users] [PATCH] fix restart function called after a SigHUP
|
From: Victor J. <vi...@nk...> - 2004-07-09 07:45:31
|
On Friday 09 July 2004 03:04, William Metcalf wrote: > >I'm no snort expert, nor a snort_inline expert, nor a expert programmer, > > but > > >my question is: what would you gain by writing your own preproc? Can you > >point problems in the current one that are so big they can't be fixed? > > The way that stream4 deals with data now is not really ideal for an inline > device. We could cut a lot of fat out stream4 with the checks for picking > up sessions midstream as this shouldn't ever happen except during the > initialization of the plug-in. In addition separating out the session > time-out and storing of packets in memory will be difficult while keeping > the stream4 preproc working while not in inline mode. Rob has amazingly > been able to do this up to this point : -) I have several ideas. Since snort_inline is dependant on Netfilter, can't we in some way use the Netfilter connection-tracking? Maybe with some extension of conntrack or a modification of libipq? We don't have to re-invent the wheel, right? Maybe we want (yes we, i would like to help you ;-) the same timeout values netfilter uses. They make sense in normal use. This would present a challenge because of the much larger memory use of stream4. But maybe we can store the data of sessions that are inactive for a few minutes on disk? Can we think of something to write the state table to disk so it can survive a sighup (for applying new settings) or even a program restart (they seem to be identical right now (see below)). If you are in a corporate environment, you can't afford to lose sessions of your users if you apply a new rule or a configuration change. <snip> > > Don't quote me on this, as I'm not sure if snort still reacts the same way > to a kill -HUP, but in the past it didn't just re-read the config files, it > used exec argv which completely tore down snort and restarted. You're right, I just didn't look right! I was really tired yesterday (in a few days i'm going on my holiday, i really deserved it! ;-) Regards, Victor > > Regards, > > Will > > > > > > > > Victor Julien > <vi...@nk...> > To > 07/08/2004 07:13 William Metcalf > PM <Wil...@kc...> > cc > sno...@li...urceforg > e.net, > sno...@li...ur > ceforge.net > Subject > Re: [Snort-inline-users] [PATCH] > fix restart function called after a > SigHUP > > On Friday 09 July 2004 01:59, William Metcalf wrote: > > The more requests that come in, it's getting conceptually harder to meet > > them modding the stream4 that comes with vanilla snort. I guess I've > > found > > > my research project for my cert, I'll start rewriting stream4 as a > > separate > > > preproc for snort_inline. What do you guy's think about this? > > I'm no snort expert, nor a snort_inline expert, nor a expert programmer, > but > my question is: what would you gain by writing your own preproc? Can you > point problems in the current one that are so big they can't be fixed? > > > If this is cool with everyone, just send me what you would like to see. > > As > > > far as reassembly goes how long do you think we should store packets in > > memory from the stream? What is a good length to keep state? > > I would like to be able to walk away from my ssh session for a few hours, > and > still not lose my session (and i really know people that act this way! =) > > But Will, can you explain me something? When snort_inline receives a sighup > > the Restart() function is called, which in its turn runs through the > PluginRestartList to execute the restart function of the specific preproc, > right? If i'm not mistaken, for stream4 this the Stream4RestartFunction(). > However in that function (starting on line 3509 of spp_stream4.c) i can > find > no reason for the state table to flush... so where is flushed (if at all)? > > > Rob, would you be > > alright with this? > > > > Regards, > > > > Will > > Regards, > Victor > > PS. what kind of cert is that? |
