Snort mailing list archives
Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info
From: "James Lay" <jlay () slave-tothe-box net>
Date: Fri, 17 Nov 2006 09:16:58 -0700
Wow good questions :D Ok..here is the info: Distro is Slackware 10.2 Compiled Snort with: ./configure --with-mysql=/usr/local/mysql --enable-dynamicplugin I have some streaming media and a trickle of ssh traffic..this is just a home setup, so not a lot of traffic present. Are the below all the mem options I have? ac | ac-std | ac-bnfa | acs | ac-banded | ac-sparsebands | lowmem After initial startup, snort with ac-sparsebands is using 52% of 1 gig of memory..which is about how it was running with 2.6.0 And HOLY SMACKERS! Ac-bnfa sure made a difference! Tested with that and now snort is using 9% of memory, and init time was less then a minute! 09:10:35 myshield snort[31109]: Daemon initialized, signaled parent pid: 31108 09:10:35 myshield snort[31108]: Daemon parent exiting 09:11:10 myshield snort[31109]: Snort initialization completed successfully (pid=31109) 09:11:10 myshield snort[31109]: Not Using PCAP_FRAMES I'll see how this flies throughout the day. Thank you!! James -----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of Justin Heath Sent: Friday, November 17, 2006 5:56 AM To: Forward4James Cc: Snort Subject: Re: [Snort-users] 2.6.1 and LOOOONG startup times plus moreignore_scanners info Can you provide more information regarding your setup? If so ... What OS/Distro and OS/Distro version are you running? Did you compile by hand or use the binaries from snort.org? If you compiled by hand what configure arguments, cflags etc. did you use? How much traffic is passing my the monitoring interface that Snort is configured to listen to? What results did you see with the new pattern matcher (ac-bnfa) enabled? Cheers, Justin Heath On 11/17/06, James Lay <jlay () slave-tothe-box net> wrote:
Sooo....I nuked: config detection: search-method ac-sparsebands and now snort starts with no ignore_scanners error (from my previous post) with config detection: search-method ac-sparsebands enabled snort takes about 800 megs of ram. Without it, snort now takes 1.4 gigs of ram. Snort 2.6.1 now takes almost a full 15 minutes to fully start now Nov 17 04:51:58 myshield snort[29273]: Daemon parent exiting Nov 17 05:06:08 myshield snort[29274]: Snort initialization completed successfully (pid=29274) Nov 17 05:06:08 myshield snort[29274]: Not Using PCAP_FRAMES Including config below: var HOME_NET [192.168.0.0/24,exip] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS 192.168.0.2 var SMTP_SERVERS 192.168.0.2 var HTTP_SERVERS 192.168.0.2 var SQL_SERVERS 192.168.0.2 var TELNET_SERVERS 192.168.0.2 var SNMP_SERVERS 192.168.0.2 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0 /24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.18 8.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /chroot/snort/etc/snort/rules var SSH_PORTS 22 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: detect_scans, detect_state_problems, disable_evasion_alerts preprocessor stream4_reassemble: both, ports[all] preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor smtp: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } \ ignore_scanners { 192.168.0.3,192.168.0.2 } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user= password= dbname= host=192.168.0.3 include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/mysql.rules include $RULE_PATH/smtp.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/experimental.rules include $RULE_PATH/bleeding-botcc.rules include $RULE_PATH/bleeding-drop.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding.rules include $RULE_PATH/community-bot.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/community-exploit.rules include $RULE_PATH/community-game.rules include $RULE_PATH/community-icmp.rules include $RULE_PATH/community-imap.rules include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/community-mail-client.rules include $RULE_PATH/community-misc.rules include $RULE_PATH/community-smtp.rules include $RULE_PATH/community-sql-injection.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/community-web-attacks.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-misc.rules include $RULE_PATH/community-web-php.rules ---------------------------------------------------------------------- --- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV DEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.6.1 and LOOOONG startup times plus more ignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Justin Heath (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plusmoreignore_scanners info John York (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Nigel Houghton (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Justin Heath (Nov 17)