cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SENSOR: Attack Marker Resources Exhausted

Hello all,

Opened an SR with McAfee on this "internal" signature. The only information I can find on it is a KB explaning you cannot capture any data with the signature. What I'm looking to determine is the cause of the alert and ways to mitiate the resource issue. At this point our sensor is only seeing a 30-40% sensor-load and a 50-70% throughput rate.

Anyone have any ideas? I'll post back with the results from tier 3/diagnostics file we've provided to support.

Thank you,

tjaynes

Message was edited by: tjaynes on 4/23/14 4:14:21 PM CDT
4 Replies
Level 10
Report Inappropriate Content
Message 2 of 5

Re: SENSOR: Attack Marker Resources Exhausted

What's the output of the sensor CLI command 'show mem-usage' when you receive these alerts?  The output of 'show flows' may be useful as well.

Message was edited by: msitko on 4/23/14 4:18:37 PM CDT
Highlighted

Re: SENSOR: Attack Marker Resources Exhausted

msitko,

> show mem-usage

Avg. Used TCP and UDP Flows  across all PEs          : 21%

Max. Used TCP and UDP Flows on a single PE           : 22%

Avg. Used Fragmented IP Flows  across all PEs        : 0%

Max. Used Fragmented IP Flows on a single PE         : 0%

Avg. Used ICMP Flows  across all PEs                 : 0%

Max. Used ICMP Flows on a single PE                  : 0%

Avg. Used SSL Flows across all PEs                   : 0%

Max. Used SSL Flows on a single PE                   : 0%

Avg. Used Fragment Reassembly Buffers across all PEs : 0%

Max. Used Fragment Reassembly Buffers on a single PE : 0%

Avg. Used Packet Buffers  across all PEs             : 0%

Max. Used Packet Buffers on a single PE              : 0%

Avg. Used Attack Marker Nodes  across all PEs        : 70%

Max. Used Attack Marker Nodes on a single PE         : 73%

Avg. Used Shell Marker Nodes  across all PEs         : 0%

Max. Used Shell Marker Nodes on a single PE          : 0%

Avg. Used L7 Dcap Alert Buffers across all PEs         : 0%

Max. Used L7 Dcap Alert Buffers on a single PE          : 0%

Avg. Used L7 Dcap flows across all PEs         : 0%

Max. Used L7 Dcap flows on a single PE          : 0%

> show sensor-load

Average load across all PEs                     : 31% (approx.)

Maximum load on a single PE                     : 34% (approx.)

>show flows

Total TCBs = 1050210

Total free TCBs = 829515

Total active TCP flows = 194618

Total TCP flows in timewait = 3750

Total active UDP flows = 22329

Total flows in SYN state = 340

Total TCP flows created = 544800306

Total abandoned TCP handshakes = 24168215

syncookie inbound status = Inactive

syncookie outbound status = Inactive

Total syn cookie proxy connections = 0

Total dequote flows count = 4095

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: SENSOR: Attack Marker Resources Exhausted

I know this is an old post but I just got an event of this sort and I can't find any details or further information on it.

Can anyone that has seen this maybe share what they have learnt from these events?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: SENSOR: Attack Marker Resources Exhausted

If you are seeing the "SENSOR: Attack Marker Resources Exhausted" alert it means that the sensor has run out of TCB (Transmission Control Blocks - I believe), which basically means it has no resources to track any new connections/transactions that may contain new attacks.

 

Think about it this way - I have a sensors that can track 10 connections, but I have 20 connections through it.. 

It won't work. You may need to look at re-sizing the solution or excluding protocols so that the protocols of interest get the max TCB allocation for the sensor model.

 

HTH.

 

Regards,

David

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community