[Snort-users] snort 1.8.2 crash on 50Mb traffic with reassembly directive on

Bruno GODARD Bruno.GODARD at ...4082...
Thu Nov 15 02:16:02 EST 2001

During our NIDS tests, we systematicaly have snort 1.8.2 (with or without snmp
and mysql on) which crash under
50 Mb traffic composed of tiny packets of 64 bits. We test it on sun plateform
under solaris 2.7.
We just change "preprocessor stream4_reassemble" options from default to
"both:port all"
We change this option because we would test snort ability to detect  fragmented
attack on heavy traffic.
On a established 50Mb traffic, We start snort, it detects some fragmented
attack, but not all, then after some minutes it crash with a core dump.
On a 25Mb traffic it doesn't crash and detects all fragmented attacks.
Can someone have an explanation of this crash , is snort limited to small
traffic when we ask it to reassemble packet.

Thanks for idea and help


Le contenu de ce message ne represente en aucun cas un 
engagement de la part de Noos sous reserve de tout accord 
conclu par ecrit entre vous et Noos. Toute publication, 
utilisation ou diffusion, meme partielle, doit etre autorisee 
prealablement. Si vous n'etes pas destinataire de ce message, merci d'en 
avertir immediatement l'expediteur.
Pour avoir plus d'informations sur Noos : http://www.noos.com

The content of this message does not constitute a commitment 
by Noos except where provided for in a written agreement 
between you and Noos. Any unauthorised disclosure, use or
dissemination, either whole or partial, is prohibited. If you are not the
intended recipient of the message, please notify the sender immediately.
For more information about us: http://www.noos.com

More information about the Snort-users mailing list