[Snort-devel] new spp_defrag.c

Sjsnort sjsnort at ...398...
Fri Jun 29 04:58:06 EDT 2001


Seems to work fine. My config is : Snort Version 1.8-beta8 (Build 30) on
Solaris 2.6/UltraSparc-II.

Here is what i got after HUPing snort after it had run for a while :

Jun 29 14:20:14 e220r snort[4446]: Snort received 32051 packets
Jun 29 14:20:14 e220r snort[4446]:  and dropped 0(0.000%) packets
Jun 29 14:20:14 e220r snort[4446]: Breakdown by protocol:
Action Stats:
Jun 29 14:20:14 e220r snort[4446]:     TCP: 28195      (87.969%)
ALERTS: 27
Jun 29 14:20:14 e220r snort[4446]:     UDP: 2564       (8.000%)
LOGGED: 27
Jun 29 14:20:14 e220r snort[4446]:    ICMP: 447        (1.395%)
PASSED: 0
Jun 29 14:20:14 e220r snort[4446]:     ARP: 0          (0.000%)
Jun 29 14:20:14 e220r snort[4446]:    IPv6: 0          (0.000%)
Jun 29 14:20:14 e220r snort[4446]:     IPX: 0          (0.000%)
Jun 29 14:20:14 e220r snort[4446]:   OTHER: 845        (2.636%)
Jun 29 14:20:14 e220r snort[4446]: DISCARD: 0          (0.000%)
Jun 29 14:20:14 e220r snort[4446]:
============================================================================
===
Jun 29 14:20:14 e220r snort[4446]: Fragmentation Stats:
Jun 29 14:20:14 e220r snort[4446]: Fragmented IP Packets: 0
(0.000%)
Jun 29 14:20:14 e220r snort[4446]:    Rebuilt IP Packets: 0
Jun 29 14:20:14 e220r snort[4446]:    Frag elements used: 0
Jun 29 14:20:14 e220r snort[4446]: Discarded(incomplete): 0
Jun 29 14:20:14 e220r snort[4446]:    Discarded(timeout): 0
Jun 29 14:20:14 e220r snort[4446]:
============================================================================
===
Jun 29 14:20:14 e220r snort[4446]: TCP Stream Reassembly Stats:
Jun 29 14:20:14 e220r snort[4446]:    TCP Packets Used:      0
(0.000%)
Jun 29 14:20:14 e220r snort[4446]:    Reconstructed Packets: 0
(0.000%)
Jun 29 14:20:14 e220r snort[4446]:    Streams Reconstructed: 0
Jun 29 14:20:14 e220r snort[4446]:
============================================================================
===
Jun 29 14:20:14 e220r snort[4446]: Received SIGHUP. Restarting
Jun 29 14:20:14 e220r snort[4446]: stream4 config:
Jun 29 14:20:14 e220r snort[4446]:     stateful inspection: ACTIVE
Jun 29 14:20:14 e220r snort[4446]:     session statistics: ACTIVE
Jun 29 14:20:14 e220r snort[4446]:     session timeout: 30 seconds
Jun 29 14:20:14 e220r snort[4446]:     session memory cap: 8388608 bytes
Jun 29 14:20:14 e220r snort[4446]: No arguments to stream4_reassemble,
setting defaults:
Jun 29 14:20:14 e220r snort[4446]:      Reassemble client: ACTIVE
Jun 29 14:20:14 e220r snort[4446]:      Reassemble server: INACTIVE
Jun 29 14:20:14 e220r snort[4446]:      Reassemble ports: 21 23 25 53 80 143
110 111 513
Jun 29 14:20:14 e220r snort[4446]:      Reassembly alerts: ACTIVE
Jun 29 14:20:14 e220r snort[4446]: Snort initialization completed
successfully, Snort running
Jun 29 14:20:14 e220r snort[4446]: WARNING: Data on unestablished session
(state: 7)!

----snip-------

Siddhartha

----- Original Message -----
From: "Dragos Ruiu" <dr at ...40...>
To: <snort-devel at lists.sourceforge.net>
Sent: Friday, June 29, 2001 5:16 AM
Subject: [Snort-devel] new spp_defrag.c


>
>
> defragger with memory hard-hard limits
> and out of memory alert thresholding so nobody
> gets any snotty ideas about sticking in defrag
> noise.  :-)
>
> Some tweaks that should help the sparc people...
> And a new higher efficiency timeout checker
> and garbage collector.
>
> Backwards compatible with snort 1.7 and 1.8 releases.
> just replace spp_defrag.c
>
> I sent an earlier version out to a few and didn't receive
> any tracebacks yet so I assume it's ok. Here is a
> slightly more aggresively defended version.
>
> Send me your complaints... or cpu utilization benchmarks
> and the %of fragmented traffic you have as I am trying
> to benchmark...
>
> cheers,
> --dr
>


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-devel mailing list