[Snort-users] snort 1.8.2 crash on 50Mb traffic with reassembly directive on

Erek Adams erek at ...577...
Thu Nov 15 07:25:06 EST 2001


On Thu, 15 Nov 2001, Bruno GODARD wrote:

> During our NIDS tests, we systematicaly have snort 1.8.2 (with or without snmp
> and mysql on) which crash under
> 50 Mb traffic composed of tiny packets of 64 bits. We test it on sun plateform
> under solaris 2.7.
> We just change "preprocessor stream4_reassemble" options from default to
> "both:port all"
> We change this option because we would test snort ability to detect  fragmented
> attack on heavy traffic.
> On a established 50Mb traffic, We start snort, it detects some fragmented
> attack, but not all, then after some minutes it crash with a core dump.
> On a 25Mb traffic it doesn't crash and detects all fragmented attacks.
> Can someone have an explanation of this crash , is snort limited to small
> traffic when we ask it to reassemble packet.

Well, more info is needed.  Please have a look at the BUGS file and follow the
instructions on how to generate more info for debugging.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list