[Snort-users] Fwd: Re: disable frag3

Joel Esler jesler at ...1935...
Tue Dec 20 14:07:10 EST 2011


That is a massive amount of frags. Any way you could ignore that particular host with bpf?

--
Joel Esler

On Dec 20, 2011, at 1:43 AM, Azfar Hashmi <azfar.hashmi at ...15474...> wrote:

> 
> 
> -------- Original Message --------
> Subject:    Re: [Snort-users] disable frag3
> Date:    Tue, 20 Dec 2011 10:56:50 +0500
> From:    Azfar Hashmi <azfar.hashmi at ...15474...>
> To:    Snort-users at lists.sourceforge.net
> 
> 
> Here is my log, having too many memory fault and some times i see
> "segfault" error in my logs too.
> 
> Frag3 statistics:
> Dec 20 06:30:12 snort[8750]:         Total Fragments: 2413767
> Dec 20 06:30:12  snort[8750]:       Frags Reassembled: 5183
> Dec 20 06:30:12  snort[8750]:                Discards: 0
> Dec 20 06:30:12  snort[8750]:           Memory Faults: 18741
> Dec 20 06:30:12  snort[8750]:                Timeouts: 2
> Dec 20 06:30:12  snort[8750]:                Overlaps: 0
> Dec 20 06:30:12  snort[8750]:               Anomalies: 0
> Dec 20 06:30:12  snort[8750]:                  Alerts: 0
> Dec 20 06:30:12  snort[8750]:      FragTrackers Added: 2407937
> Dec 20 06:30:12  snort[8750]:     FragTrackers Dumped: 2403849
> Dec 20 06:30:12  snort[8750]: FragTrackers Auto Freed: 0
> Dec 20 06:30:12  snort[8750]:     Frag Nodes Inserted: 2413767
> Dec 20 06:30:12  snort[8750]:      Frag Nodes Deleted: 2409679
> 
>> Let me ask the basic question first.  Why are you trying to disable
> the frag3 preprocessor?
> 
> I have to do it for trouble-shooting purpose. Snort is crashing daily in
> load times and I have checked that that time server receiving large
> number of fragmented packets. If it stop crashing after disabling it
> then i will enable it after increasing its hardware power.
> 
> On 12/19/2011 7:53 PM, Joel Esler wrote:
>> 
>> 
>> 
>> On Dec 19, 2011, at 5:33 AM, Azfar Hashmi wrote:
>> 
>>> I am trying to disable frag3 preprocessor but snort giving me an error
>>> that "invalid frag3 global option (disabled)"
>>> 
>>> What I am doing wrong.
>> 
> 
> 
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create 
> new or port existing apps to sell to consumers worldwide. Explore the 
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list