topic Re: IDS-ERROR in Operating System - HP-UX

IDS-ERROR

David_711 — Tue, 19 Oct 2004 12:31:30 GMT

HI, my idsagent report the following error:
Code: 10002
Message: kerneldsp:idskerndsp: Dropping audit records due to heavy load. First notice.

What that mean?

Thanks a lot
David

Re: IDS-ERROR

Sanjay_6 — Tue, 19 Oct 2004 12:46:27 GMT

Hi David,

Looks like hp is still working on this issue, fix in the next version.

http://www2.itrc.hp.com/service/cki/search.do?category=c0&mode=id&searchString=8606337732&searchCrit=allwords&docType=Security&docType=Patch&docType=EngineerNotes&docType=BugReports&docType=Hardware&docType=ReferenceMaterials&docType=ThirdParty&search.x=24&search.y=8

the doc id is 8606337732

Hope this helps.

regds

Re: IDS-ERROR

Steven E. Protter — Tue, 19 Oct 2004 13:01:38 GMT

Besides the obvious defect acknowledged, it would appear the system is too busy to keep up with data collection requirements.

Consider filtering the data you collect and making it more precise and less broad. HIDS can overload a server all by itself if configured to collect too much.

SEP

Re: IDS-ERROR

Scott Palmer_1 — Tue, 19 Oct 2004 13:47:01 GMT

This is caused by trying to Monitor buffer overflows. All of the Literature I have see says turn this feature off and Set the kernel to not allow buffer overflows. This will also reduce the amount of CPU the idsagent takes from the system.

Sincerely

--Scott Palmer

Re: IDS-ERROR

Pierre Pasturel — Tue, 19 Oct 2004 14:49:04 GMT

David -

Performance improvements in V3.0 will reduce the chances of this happening. And the performance of our race condition template and buffer overflow template in V3.0 has greatly improved, especially for the stack buffer overflow template. A whitepaper on v3.0 performance will come out after we ship v3.0.

Pierre

Re: IDS-ERROR

David_711 — Tue, 19 Oct 2004 14:49:06 GMT

Sanjay,
The link is not working.
Thanks

Scott, i am not traying to log buffer overflow.

Thanks

Re: IDS-ERROR

David_711 — Tue, 19 Oct 2004 15:21:17 GMT

Pierre,
What i can do to avoid this error in hids 2.2?
Do you have some information about it?

Thanks
David

Re: IDS-ERROR

Scott Palmer_1 — Tue, 19 Oct 2004 16:43:39 GMT

David

I noticed those errors in the current version of IDS when i had "Race condition attacks" and "buffer overflow attacks" selected in the template screen. I did some searching on the web, and I found that there are serious performance Issues when these options are selected. Specifically the idscor (correlation engine) was chewing up alot of CPU cycles. I unselected both of these options, re-pushed the schedules, and low and behold I stopped getting the error message you reported. I believe that the issue is that the idscor process was dropping these packets, but I am not 100% sure. I currently am running IDS on an A class and and L class server and the idscor process experienced the same issues.

Hope this sheds a bit of light.

Sincerely

--Scott Palmer

Re: IDS-ERROR

Pierre Pasturel — Wed, 20 Oct 2004 14:01:35 GMT

David -

Please refer to the Admin Guide Chapter 5 and the Section titled "Some Template Configuration Guidelines" on p. 74. You want to avoid running the buffer overflow and race condition template in V2.x.

Pierre