Snort mailing list archives

Re: Fwd: Re: disable frag3

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 23 Dec 2011 09:40:05 -0500

You would comment it out, however, I'd highly recommend against it. 

-- 
Joel Esler

On Dec 23, 2011, at 6:56 AM, Azfar Hashmi <azfar.hashmi () cloudways com> wrote:

its on public network so cant bypass IP addresses (not static IP). Back
to question. What is the correct syntax to disable it.

On 12/21/2011 12:07 AM, Joel Esler wrote:

That is a massive amount of frags. Any way you could ignore that particular host with bpf?

--
Joel Esler

On Dec 20, 2011, at 1:43 AM, Azfar Hashmi <azfar.hashmi () cloudways com> wrote:


-------- Original Message --------
Subject:    Re: [Snort-users] disable frag3
Date:    Tue, 20 Dec 2011 10:56:50 +0500
From:    Azfar Hashmi <azfar.hashmi () cloudways com>
To:    Snort-users () lists sourceforge net


Here is my log, having too many memory fault and some times i see
"segfault" error in my logs too.

Frag3 statistics:
Dec 20 06:30:12 snort[8750]:         Total Fragments: 2413767
Dec 20 06:30:12  snort[8750]:       Frags Reassembled: 5183
Dec 20 06:30:12  snort[8750]:                Discards: 0
Dec 20 06:30:12  snort[8750]:           Memory Faults: 18741
Dec 20 06:30:12  snort[8750]:                Timeouts: 2
Dec 20 06:30:12  snort[8750]:                Overlaps: 0
Dec 20 06:30:12  snort[8750]:               Anomalies: 0
Dec 20 06:30:12  snort[8750]:                  Alerts: 0
Dec 20 06:30:12  snort[8750]:      FragTrackers Added: 2407937
Dec 20 06:30:12  snort[8750]:     FragTrackers Dumped: 2403849
Dec 20 06:30:12  snort[8750]: FragTrackers Auto Freed: 0
Dec 20 06:30:12  snort[8750]:     Frag Nodes Inserted: 2413767
Dec 20 06:30:12  snort[8750]:      Frag Nodes Deleted: 2409679

Let me ask the basic question first.  Why are you trying to disable

the frag3 preprocessor?

I have to do it for trouble-shooting purpose. Snort is crashing daily in
load times and I have checked that that time server receiving large
number of fragmented packets. If it stop crashing after disabling it
then i will enable it after increasing its hardware power.

On 12/19/2011 7:53 PM, Joel Esler wrote:



On Dec 19, 2011, at 5:33 AM, Azfar Hashmi wrote:

I am trying to disable frag3 preprocessor but snort giving me an error
that "invalid frag3 global option (disabled)"

What I am doing wrong.


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

disable frag3 Azfar Hashmi (Dec 19)
- Re: disable frag3 Joel Esler (Dec 19)
  - Re: disable frag3 Azfar Hashmi (Dec 19)
    - Fwd: Re: disable frag3 Azfar Hashmi (Dec 19)
    - Re: Fwd: Re: disable frag3 Joel Esler (Dec 20)
    - Re: Fwd: Re: disable frag3 Azfar Hashmi (Dec 23)
    - Re: Fwd: Re: disable frag3 Joel Esler (Dec 23)