[Snort-users] Fwd: Re: disable frag3

Azfar Hashmi azfar.hashmi at ...15474...
Fri Dec 23 06:56:54 EST 2011


its on public network so cant bypass IP addresses (not static IP). Back
to question. What is the correct syntax to disable it.

On 12/21/2011 12:07 AM, Joel Esler wrote:
> That is a massive amount of frags. Any way you could ignore that particular host with bpf?
>
> --
> Joel Esler
>
> On Dec 20, 2011, at 1:43 AM, Azfar Hashmi <azfar.hashmi at ...15474...> wrote:
>
>>
>> -------- Original Message --------
>> Subject:    Re: [Snort-users] disable frag3
>> Date:    Tue, 20 Dec 2011 10:56:50 +0500
>> From:    Azfar Hashmi <azfar.hashmi at ...15474...>
>> To:    Snort-users at lists.sourceforge.net
>>
>>
>> Here is my log, having too many memory fault and some times i see
>> "segfault" error in my logs too.
>>
>> Frag3 statistics:
>> Dec 20 06:30:12 snort[8750]:         Total Fragments: 2413767
>> Dec 20 06:30:12  snort[8750]:       Frags Reassembled: 5183
>> Dec 20 06:30:12  snort[8750]:                Discards: 0
>> Dec 20 06:30:12  snort[8750]:           Memory Faults: 18741
>> Dec 20 06:30:12  snort[8750]:                Timeouts: 2
>> Dec 20 06:30:12  snort[8750]:                Overlaps: 0
>> Dec 20 06:30:12  snort[8750]:               Anomalies: 0
>> Dec 20 06:30:12  snort[8750]:                  Alerts: 0
>> Dec 20 06:30:12  snort[8750]:      FragTrackers Added: 2407937
>> Dec 20 06:30:12  snort[8750]:     FragTrackers Dumped: 2403849
>> Dec 20 06:30:12  snort[8750]: FragTrackers Auto Freed: 0
>> Dec 20 06:30:12  snort[8750]:     Frag Nodes Inserted: 2413767
>> Dec 20 06:30:12  snort[8750]:      Frag Nodes Deleted: 2409679
>>
>>> Let me ask the basic question first.  Why are you trying to disable
>> the frag3 preprocessor?
>>
>> I have to do it for trouble-shooting purpose. Snort is crashing daily in
>> load times and I have checked that that time server receiving large
>> number of fragmented packets. If it stop crashing after disabling it
>> then i will enable it after increasing its hardware power.
>>
>> On 12/19/2011 7:53 PM, Joel Esler wrote:
>>>
>>>
>>> On Dec 19, 2011, at 5:33 AM, Azfar Hashmi wrote:
>>>
>>>> I am trying to disable frag3 preprocessor but snort giving me an error
>>>> that "invalid frag3 global option (disabled)"
>>>>
>>>> What I am doing wrong.
>>
>> ------------------------------------------------------------------------------
>> Write once. Port to many.
>> Get the SDK and tools to simplify cross-platform app development. Create 
>> new or port existing apps to sell to consumers worldwide. Explore the 
>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>> http://p.sf.net/sfu/intel-appdev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list