Re: Fwd: Re: disable frag3

[Azfar Hashmi <azfar.hashmi () cloudways com>]

Its 2.7.0-20.4 from squeeze.

On 1/3/2012 9:54 PM, Russ Combs wrote:
> Azfar, what version of Snort are you running?
>
> If you build with --enable-debug and send us the core file we may be
> able to figure it out.
>
> On Fri, Dec 23, 2011 at 9:40 AM, Joel Esler <jesler () sourcefire com
> <mailto:jesler () sourcefire com>> wrote:
>
>     You would comment it out, however, I'd highly recommend against it.
>
>     --
>     Joel Esler
>
>     On Dec 23, 2011, at 6:56 AM, Azfar Hashmi
>     <azfar.hashmi () cloudways com <mailto:azfar.hashmi () cloudways com>>
>     wrote:
>
>     > its on public network so cant bypass IP addresses (not static
>     IP). Back
>     > to question. What is the correct syntax to disable it.
>     >
>     > On 12/21/2011 12:07 AM, Joel Esler wrote:
>     >> That is a massive amount of frags. Any way you could ignore
>     that particular host with bpf?
>     >>
>     >> --
>     >> Joel Esler
>     >>
>     >> On Dec 20, 2011, at 1:43 AM, Azfar Hashmi
>     <azfar.hashmi () cloudways com <mailto:azfar.hashmi () cloudways com>>
>     wrote:
>     >>
>     >>>
>     >>> -------- Original Message --------
>     >>> Subject:    Re: [Snort-users] disable frag3
>     >>> Date:    Tue, 20 Dec 2011 10:56:50 +0500
>     >>> From:    Azfar Hashmi <azfar.hashmi () cloudways com
>     <mailto:azfar.hashmi () cloudways com>>
>     >>> To:    Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     >>>
>     >>>
>     >>> Here is my log, having too many memory fault and some times i see
>     >>> "segfault" error in my logs too.
>     >>>
>     >>> Frag3 statistics:
>     >>> Dec 20 06:30:12 snort[8750]:         Total Fragments: 2413767
>     >>> Dec 20 06:30:12  snort[8750]:       Frags Reassembled: 5183
>     >>> Dec 20 06:30:12  snort[8750]:                Discards: 0
>     >>> Dec 20 06:30:12  snort[8750]:           Memory Faults: 18741
>     >>> Dec 20 06:30:12  snort[8750]:                Timeouts: 2
>     >>> Dec 20 06:30:12  snort[8750]:                Overlaps: 0
>     >>> Dec 20 06:30:12  snort[8750]:               Anomalies: 0
>     >>> Dec 20 06:30:12  snort[8750]:                  Alerts: 0
>     >>> Dec 20 06:30:12  snort[8750]:      FragTrackers Added: 2407937
>     >>> Dec 20 06:30:12  snort[8750]:     FragTrackers Dumped: 2403849
>     >>> Dec 20 06:30:12  snort[8750]: FragTrackers Auto Freed: 0
>     >>> Dec 20 06:30:12  snort[8750]:     Frag Nodes Inserted: 2413767
>     >>> Dec 20 06:30:12  snort[8750]:      Frag Nodes Deleted: 2409679
>     >>>
>     >>>> Let me ask the basic question first.  Why are you trying to
>     disable
>     >>> the frag3 preprocessor?
>     >>>
>     >>> I have to do it for trouble-shooting purpose. Snort is
>     crashing daily in
>     >>> load times and I have checked that that time server receiving
>     large
>     >>> number of fragmented packets. If it stop crashing after
>     disabling it
>     >>> then i will enable it after increasing its hardware power.
>     >>>
>     >>> On 12/19/2011 7:53 PM, Joel Esler wrote:
>     >>>>
>     >>>>
>     >>>> On Dec 19, 2011, at 5:33 AM, Azfar Hashmi wrote:
>     >>>>
>     >>>>> I am trying to disable frag3 preprocessor but snort giving
>     me an error
>     >>>>> that "invalid frag3 global option (disabled)"
>     >>>>>
>     >>>>> What I am doing wrong.
>     >>>
>     >>>
>     ------------------------------------------------------------------------------
>     >>> Write once. Port to many.
>     >>> Get the SDK and tools to simplify cross-platform app
>     development. Create
>     >>> new or port existing apps to sell to consumers worldwide.
>     Explore the
>     >>> Intel AppUpSM program developer opportunity.
>     appdeveloper.intel.com/join <http://appdeveloper.intel.com/join>
>     >>> http://p.sf.net/sfu/intel-appdev
>     >>> _______________________________________________
>     >>> Snort-users mailing list
>     >>> Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     >>> Go to this URL to change user options or unsubscribe:
>     >>> https://lists.sourceforge.net/lists/listinfo/snort-users
>     >>> Snort-users list archive:
>     >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>     >>>
>     >>> Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!
>     >
>     >
>     >
>     ------------------------------------------------------------------------------
>     > Write once. Port to many.
>     > Get the SDK and tools to simplify cross-platform app
>     development. Create
>     > new or port existing apps to sell to consumers worldwide.
>     Explore the
>     > Intel AppUpSM program developer opportunity.
>     appdeveloper.intel.com/join <http://appdeveloper.intel.com/join>
>     > http://p.sf.net/sfu/intel-appdev
>     > _______________________________________________
>     > Snort-users mailing list
>     > Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     > Go to this URL to change user options or unsubscribe:
>     > https://lists.sourceforge.net/lists/listinfo/snort-users
>     > Snort-users list archive:
>     > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>     >
>     > Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!
>
>     ------------------------------------------------------------------------------
>     Write once. Port to many.
>     Get the SDK and tools to simplify cross-platform app development.
>     Create
>     new or port existing apps to sell to consumers worldwide. Explore the
>     Intel AppUpSM program developer opportunity.
>     appdeveloper.intel.com/join <http://appdeveloper.intel.com/join>
>     http://p.sf.net/sfu/intel-appdev
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!