2 Replies Latest reply on Apr 23, 2014 4:42 PM by tjaynes

    SENSOR: Attack Marker Resources Exhausted

    tjaynes

      Hello all,

       

      Opened an SR with McAfee on this "internal" signature. The only information I can find on it is a KB explaning you cannot capture any data with the signature. What I'm looking to determine is the cause of the alert and ways to mitiate the resource issue. At this point our sensor is only seeing a 30-40% sensor-load and a 50-70% throughput rate.

      Anyone have any ideas? I'll post back with the results from tier 3/diagnostics file we've provided to support.

       

      Thank you,

      tjaynes

       

      Message was edited by: tjaynes on 4/23/14 4:14:21 PM CDT
        • 1. Re: SENSOR: Attack Marker Resources Exhausted
          msitko

          What's the output of the sensor CLI command 'show mem-usage' when you receive these alerts?  The output of 'show flows' may be useful as well.

           

          Message was edited by: msitko on 4/23/14 4:18:37 PM CDT
          • 2. Re: SENSOR: Attack Marker Resources Exhausted
            tjaynes

            msitko,

             

            > show mem-usage

            Avg. Used TCP and UDP Flows  across all PEs          : 21%

            Max. Used TCP and UDP Flows on a single PE           : 22%

            Avg. Used Fragmented IP Flows  across all PEs        : 0%

            Max. Used Fragmented IP Flows on a single PE         : 0%

            Avg. Used ICMP Flows  across all PEs                 : 0%

            Max. Used ICMP Flows on a single PE                  : 0%

            Avg. Used SSL Flows across all PEs                   : 0%

            Max. Used SSL Flows on a single PE                   : 0%

            Avg. Used Fragment Reassembly Buffers across all PEs : 0%

            Max. Used Fragment Reassembly Buffers on a single PE : 0%

            Avg. Used Packet Buffers  across all PEs             : 0%

            Max. Used Packet Buffers on a single PE              : 0%

            Avg. Used Attack Marker Nodes  across all PEs        : 70%

            Max. Used Attack Marker Nodes on a single PE         : 73%

            Avg. Used Shell Marker Nodes  across all PEs         : 0%

            Max. Used Shell Marker Nodes on a single PE          : 0%

            Avg. Used L7 Dcap Alert Buffers across all PEs         : 0%

            Max. Used L7 Dcap Alert Buffers on a single PE          : 0%

            Avg. Used L7 Dcap flows across all PEs         : 0%

            Max. Used L7 Dcap flows on a single PE          : 0%

             

            > show sensor-load

            Average load across all PEs                     : 31% (approx.)

            Maximum load on a single PE                     : 34% (approx.)

             

            >show flows

            Total TCBs = 1050210

            Total free TCBs = 829515

            Total active TCP flows = 194618

            Total TCP flows in timewait = 3750

            Total active UDP flows = 22329

            Total flows in SYN state = 340

            Total TCP flows created = 544800306

            Total abandoned TCP handshakes = 24168215

            syncookie inbound status = Inactive

            syncookie outbound status = Inactive

            Total syn cookie proxy connections = 0

            Total dequote flows count = 4095