[Snort-users] Fwd: Re: disable frag3

Joel Esler jesler at ...1935...
Fri Dec 23 09:40:05 EST 2011


You would comment it out, however, I'd highly recommend against it. 

-- 
Joel Esler

On Dec 23, 2011, at 6:56 AM, Azfar Hashmi <azfar.hashmi at ...15474...> wrote:

> its on public network so cant bypass IP addresses (not static IP). Back
> to question. What is the correct syntax to disable it.
> 
> On 12/21/2011 12:07 AM, Joel Esler wrote:
>> That is a massive amount of frags. Any way you could ignore that particular host with bpf?
>> 
>> --
>> Joel Esler
>> 
>> On Dec 20, 2011, at 1:43 AM, Azfar Hashmi <azfar.hashmi at ...15474...> wrote:
>> 
>>> 
>>> -------- Original Message --------
>>> Subject:    Re: [Snort-users] disable frag3
>>> Date:    Tue, 20 Dec 2011 10:56:50 +0500
>>> From:    Azfar Hashmi <azfar.hashmi at ...15474...>
>>> To:    Snort-users at lists.sourceforge.net
>>> 
>>> 
>>> Here is my log, having too many memory fault and some times i see
>>> "segfault" error in my logs too.
>>> 
>>> Frag3 statistics:
>>> Dec 20 06:30:12 snort[8750]:         Total Fragments: 2413767
>>> Dec 20 06:30:12  snort[8750]:       Frags Reassembled: 5183
>>> Dec 20 06:30:12  snort[8750]:                Discards: 0
>>> Dec 20 06:30:12  snort[8750]:           Memory Faults: 18741
>>> Dec 20 06:30:12  snort[8750]:                Timeouts: 2
>>> Dec 20 06:30:12  snort[8750]:                Overlaps: 0
>>> Dec 20 06:30:12  snort[8750]:               Anomalies: 0
>>> Dec 20 06:30:12  snort[8750]:                  Alerts: 0
>>> Dec 20 06:30:12  snort[8750]:      FragTrackers Added: 2407937
>>> Dec 20 06:30:12  snort[8750]:     FragTrackers Dumped: 2403849
>>> Dec 20 06:30:12  snort[8750]: FragTrackers Auto Freed: 0
>>> Dec 20 06:30:12  snort[8750]:     Frag Nodes Inserted: 2413767
>>> Dec 20 06:30:12  snort[8750]:      Frag Nodes Deleted: 2409679
>>> 
>>>> Let me ask the basic question first.  Why are you trying to disable
>>> the frag3 preprocessor?
>>> 
>>> I have to do it for trouble-shooting purpose. Snort is crashing daily in
>>> load times and I have checked that that time server receiving large
>>> number of fragmented packets. If it stop crashing after disabling it
>>> then i will enable it after increasing its hardware power.
>>> 
>>> On 12/19/2011 7:53 PM, Joel Esler wrote:
>>>> 
>>>> 
>>>> On Dec 19, 2011, at 5:33 AM, Azfar Hashmi wrote:
>>>> 
>>>>> I am trying to disable frag3 preprocessor but snort giving me an error
>>>>> that "invalid frag3 global option (disabled)"
>>>>> 
>>>>> What I am doing wrong.
>>> 
>>> ------------------------------------------------------------------------------
>>> Write once. Port to many.
>>> Get the SDK and tools to simplify cross-platform app development. Create 
>>> new or port existing apps to sell to consumers worldwide. Explore the 
>>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>>> http://p.sf.net/sfu/intel-appdev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create 
> new or port existing apps to sell to consumers worldwide. Explore the 
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6362 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111223/7e39d410/attachment.bin>


More information about the Snort-users mailing list