[Snort-users] Fwd: Re: disable frag3

Azfar Hashmi azfar.hashmi at ...15474...
Tue Dec 20 01:43:52 EST 2011



-------- Original Message --------
Subject: 	Re: [Snort-users] disable frag3
Date: 	Tue, 20 Dec 2011 10:56:50 +0500
From: 	Azfar Hashmi <azfar.hashmi at ...15474...>
To: 	Snort-users at lists.sourceforge.net


Here is my log, having too many memory fault and some times i see
"segfault" error in my logs too.

Frag3 statistics:
Dec 20 06:30:12 snort[8750]:         Total Fragments: 2413767
Dec 20 06:30:12  snort[8750]:       Frags Reassembled: 5183
Dec 20 06:30:12  snort[8750]:                Discards: 0
Dec 20 06:30:12  snort[8750]:           Memory Faults: 18741
Dec 20 06:30:12  snort[8750]:                Timeouts: 2
Dec 20 06:30:12  snort[8750]:                Overlaps: 0
Dec 20 06:30:12  snort[8750]:               Anomalies: 0
Dec 20 06:30:12  snort[8750]:                  Alerts: 0
Dec 20 06:30:12  snort[8750]:      FragTrackers Added: 2407937
Dec 20 06:30:12  snort[8750]:     FragTrackers Dumped: 2403849
Dec 20 06:30:12  snort[8750]: FragTrackers Auto Freed: 0
Dec 20 06:30:12  snort[8750]:     Frag Nodes Inserted: 2413767
Dec 20 06:30:12  snort[8750]:      Frag Nodes Deleted: 2409679

> Let me ask the basic question first.  Why are you trying to disable
the frag3 preprocessor?

I have to do it for trouble-shooting purpose. Snort is crashing daily in
load times and I have checked that that time server receiving large
number of fragmented packets. If it stop crashing after disabling it
then i will enable it after increasing its hardware power.

On 12/19/2011 7:53 PM, Joel Esler wrote:
>
>
>
> On Dec 19, 2011, at 5:33 AM, Azfar Hashmi wrote:
>
>> I am trying to disable frag3 preprocessor but snort giving me an error
>> that "invalid frag3 global option (disabled)"
>>
>> What I am doing wrong.
>





More information about the Snort-users mailing list