Opened an SR with McAfee on this "internal" signature. The only information I can find on it is a KB explaning you cannot capture any data with the signature. What I'm looking to determine is the cause of the alert and ways to mitiate the resource issue. At this point our sensor is only seeing a 30-40% sensor-load and a 50-70% throughput rate.
Anyone have any ideas? I'll post back with the results from tier 3/diagnostics file we've provided to support.
tjaynesMessage was edited by: tjaynes on 4/23/14 4:14:21 PM CDT
What's the output of the sensor CLI command 'show mem-usage' when you receive these alerts? The output of 'show flows' may be useful as well.Message was edited by: msitko on 4/23/14 4:18:37 PM CDT
> show mem-usage
Avg. Used TCP and UDP Flows across all PEs : 21%
Max. Used TCP and UDP Flows on a single PE : 22%
Avg. Used Fragmented IP Flows across all PEs : 0%
Max. Used Fragmented IP Flows on a single PE : 0%
Avg. Used ICMP Flows across all PEs : 0%
Max. Used ICMP Flows on a single PE : 0%
Avg. Used SSL Flows across all PEs : 0%
Max. Used SSL Flows on a single PE : 0%
Avg. Used Fragment Reassembly Buffers across all PEs : 0%
Max. Used Fragment Reassembly Buffers on a single PE : 0%
Avg. Used Packet Buffers across all PEs : 0%
Max. Used Packet Buffers on a single PE : 0%
Avg. Used Attack Marker Nodes across all PEs : 70%
Max. Used Attack Marker Nodes on a single PE : 73%
Avg. Used Shell Marker Nodes across all PEs : 0%
Max. Used Shell Marker Nodes on a single PE : 0%
Avg. Used L7 Dcap Alert Buffers across all PEs : 0%
Max. Used L7 Dcap Alert Buffers on a single PE : 0%
Avg. Used L7 Dcap flows across all PEs : 0%
Max. Used L7 Dcap flows on a single PE : 0%
> show sensor-load
Average load across all PEs : 31% (approx.)
Maximum load on a single PE : 34% (approx.)
Total TCBs = 1050210
Total free TCBs = 829515
Total active TCP flows = 194618
Total TCP flows in timewait = 3750
Total active UDP flows = 22329
Total flows in SYN state = 340
Total TCP flows created = 544800306
Total abandoned TCP handshakes = 24168215
syncookie inbound status = Inactive
syncookie outbound status = Inactive
Total syn cookie proxy connections = 0
Total dequote flows count = 4095
I know this is an old post but I just got an event of this sort and I can't find any details or further information on it.
Can anyone that has seen this maybe share what they have learnt from these events?
If you are seeing the "SENSOR: Attack Marker Resources Exhausted" alert it means that the sensor has run out of TCB (Transmission Control Blocks - I believe), which basically means it has no resources to track any new connections/transactions that may contain new attacks.
Think about it this way - I have a sensors that can track 10 connections, but I have 20 connections through it..
It won't work. You may need to look at re-sizing the solution or excluding protocols so that the protocols of interest get the max TCB allocation for the sensor model.