HPE Community
Operating System - HP-UX
1836611 Members
1780 Online
110102 Solutions
New Discussion

IDS-ERROR

 
David_711
Frequent Advisor

‎10-19-2004 05:31 AM

‎10-19-2004 05:31 AM

IDS-ERROR

HI, my idsagent report the following error:
Code: 10002
Message: kerneldsp:idskerndsp: Dropping audit records due to heavy load. First notice.

What that mean?

Thanks a lot
David
0 Kudos
Reply
8 REPLIES 8
Sanjay_6
Honored Contributor

‎10-19-2004 05:46 AM

‎10-19-2004 05:46 AM

Re: IDS-ERROR

Hi David,

Looks like hp is still working on this issue, fix in the next version.

http://www2.itrc.hp.com/service/cki/search.do?category=c0&mode=id&searchString=8606337732&searchCrit=allwords&docType=Security&docType=Patch&docType=EngineerNotes&docType=BugReports&docType=Hardware&docType=ReferenceMaterials&docType=ThirdParty&search.x=24&search.y=8

the doc id is 8606337732

Hope this helps.

regds
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-19-2004 06:01 AM

‎10-19-2004 06:01 AM

Re: IDS-ERROR

Besides the obvious defect acknowledged, it would appear the system is too busy to keep up with data collection requirements.

Consider filtering the data you collect and making it more precise and less broad. HIDS can overload a server all by itself if configured to collect too much.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Scott Palmer_1
Trusted Contributor

‎10-19-2004 06:47 AM

‎10-19-2004 06:47 AM

Re: IDS-ERROR

This is caused by trying to Monitor buffer overflows. All of the Literature I have see says turn this feature off and Set the kernel to not allow buffer overflows. This will also reduce the amount of CPU the idsagent takes from the system.

Sincerely

--Scott Palmer
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎10-19-2004 07:49 AM

‎10-19-2004 07:49 AM

Re: IDS-ERROR

David -

Performance improvements in V3.0 will reduce the chances of this happening. And the performance of our race condition template and buffer overflow template in V3.0 has greatly improved, especially for the stack buffer overflow template. A whitepaper on v3.0 performance will come out after we ship v3.0.

Pierre
0 Kudos
Reply
David_711
Frequent Advisor

‎10-19-2004 07:49 AM

‎10-19-2004 07:49 AM

Re: IDS-ERROR

Sanjay,
The link is not working.
Thanks

Scott, i am not traying to log buffer overflow.

Thanks


0 Kudos
Reply
David_711
Frequent Advisor

‎10-19-2004 08:21 AM

‎10-19-2004 08:21 AM

Re: IDS-ERROR

Pierre,
What i can do to avoid this error in hids 2.2?
Do you have some information about it?

Thanks
David
0 Kudos
Reply
Scott Palmer_1
Trusted Contributor

‎10-19-2004 09:43 AM

‎10-19-2004 09:43 AM

Re: IDS-ERROR

David

I noticed those errors in the current version of IDS when i had "Race condition attacks" and "buffer overflow attacks" selected in the template screen. I did some searching on the web, and I found that there are serious performance Issues when these options are selected. Specifically the idscor (correlation engine) was chewing up alot of CPU cycles. I unselected both of these options, re-pushed the schedules, and low and behold I stopped getting the error message you reported. I believe that the issue is that the idscor process was dropping these packets, but I am not 100% sure. I currently am running IDS on an A class and and L class server and the idscor process experienced the same issues.

Hope this sheds a bit of light.

Sincerely

--Scott Palmer
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎10-20-2004 07:01 AM

‎10-20-2004 07:01 AM

Re: IDS-ERROR

David -

Please refer to the Admin Guide Chapter 5 and the Section titled "Some Template Configuration Guidelines" on p. 74. You want to avoid running the buffer overflow and race condition template in V2.x.

Pierre
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.