Snort mailing list archives

Fwd: Re: disable frag3

From: Azfar Hashmi <azfar.hashmi () cloudways com>
Date: Tue, 20 Dec 2011 11:43:52 +0500



-------- Original Message --------
Subject:        Re: [Snort-users] disable frag3
Date:   Tue, 20 Dec 2011 10:56:50 +0500
From:   Azfar Hashmi <azfar.hashmi () cloudways com>
To:     Snort-users () lists sourceforge net


Here is my log, having too many memory fault and some times i see
"segfault" error in my logs too.

Frag3 statistics:
Dec 20 06:30:12 snort[8750]:         Total Fragments: 2413767
Dec 20 06:30:12  snort[8750]:       Frags Reassembled: 5183
Dec 20 06:30:12  snort[8750]:                Discards: 0
Dec 20 06:30:12  snort[8750]:           Memory Faults: 18741
Dec 20 06:30:12  snort[8750]:                Timeouts: 2
Dec 20 06:30:12  snort[8750]:                Overlaps: 0
Dec 20 06:30:12  snort[8750]:               Anomalies: 0
Dec 20 06:30:12  snort[8750]:                  Alerts: 0
Dec 20 06:30:12  snort[8750]:      FragTrackers Added: 2407937
Dec 20 06:30:12  snort[8750]:     FragTrackers Dumped: 2403849
Dec 20 06:30:12  snort[8750]: FragTrackers Auto Freed: 0
Dec 20 06:30:12  snort[8750]:     Frag Nodes Inserted: 2413767
Dec 20 06:30:12  snort[8750]:      Frag Nodes Deleted: 2409679

Let me ask the basic question first.  Why are you trying to disable

the frag3 preprocessor?

I have to do it for trouble-shooting purpose. Snort is crashing daily in
load times and I have checked that that time server receiving large
number of fragmented packets. If it stop crashing after disabling it
then i will enable it after increasing its hardware power.

On 12/19/2011 7:53 PM, Joel Esler wrote:




On Dec 19, 2011, at 5:33 AM, Azfar Hashmi wrote:

I am trying to disable frag3 preprocessor but snort giving me an error
that "invalid frag3 global option (disabled)"

What I am doing wrong.



------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

disable frag3 Azfar Hashmi (Dec 19)
- Re: disable frag3 Joel Esler (Dec 19)
  - Re: disable frag3 Azfar Hashmi (Dec 19)
    - Fwd: Re: disable frag3 Azfar Hashmi (Dec 19)
    - Re: Fwd: Re: disable frag3 Joel Esler (Dec 20)
    - Re: Fwd: Re: disable frag3 Azfar Hashmi (Dec 23)
    - Re: Fwd: Re: disable frag3 Joel Esler (Dec 23)