Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Slow Start Times (5 minutes +)

From: JJC <cummingsj () gmail com>
Date: Thu, 10 Nov 2011 06:57:01 -0700
There are certainly optimizations... I would, however, be curious about how
much memory that your system has and how much is being used...  Could be a
simple sizing issue... and 17K rules is a ton of rules!

On Wed, Nov 9, 2011 at 3:02 PM, Eoin Miller <
eoin.miller () trojanedbinaries com> wrote:


Scripted the creation of a lot of signatures to look for some specific
domain/host names inside of http_header and noticed that snort now seems
to take quite a while to start up when these signatures are loaded (5
minutes).

Example rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT";
content:"domain1.com|0D 0A|"; http_header; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT";
content:"domain2.com|0D 0A|"; http_header; sid:2; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT";
content:"domain3.com|0D 0A|"; http_header; sid:3; rev:1;)
...
and so on and so forth
...

While snort is starting up, the processor is pegged at 100% for this
time period until it drops privs to deamonize and processes the pcap
file in no time at all after it gets rolling. I did some simple analysis
just using the 'time' command and processing a VERY small pcap (like ~10
packets) file with various numbers of rules to see how long it took.
Below is the number of example style rules and the time it took for
snort to start up and process the ~10 packet file:

01000 rules:
real    0m2.089s
user    0m1.000s
sys     0m0.097s

02000 rules:
real    0m3.324s
user    0m2.200s
sys     0m0.132s

03000 rules:
real    0m4.909s
user    0m3.766s
sys     0m0.150s

04000 rules:
real    0m6.878s
user    0m5.705s
sys     0m0.179s

05000 rules:
real    0m9.288s
user    0m8.063s
sys     0m0.231s

06000 rules:
real    0m12.267s
user    0m11.035s
sys     0m0.236s

07000 rules:
real    0m16.034s
user    0m14.767s
sys     0m0.266s

08000 rules:
real    0m20.464s
user    0m19.148s
sys     0m0.318s

09000 rules:
real    0m27.713s
user    0m26.380s
sys     0m0.332s

10000 rules:
real    0m37.173s
user    0m35.811s
sys     0m0.363s

11000 rules:
real    0m52.529s
user    0m51.074s
sys     0m0.457s

12000 rules:
real    1m17.307s
user    1m15.771s
sys     0m0.526s

13000 rules:
real    1m45.878s
user    1m44.328s
sys     0m0.530s

14000 rules:
real    2m34.341s
user    2m32.678s
sys     0m0.648s

15000 rules:
real    3m23.892s
user    3m22.185s
sys     0m0.685s

16000 rules:
real    4m11.174s
user    4m9.279s
sys     0m0.850s

17000 rules:
real    4m54.605s
user    4m52.632s
sys     0m0.915s


This doesn't seem entirely normal for this few rules, I am guessing
there is some review/optimization for the pattern matching that is going
on when the sigs all end/share similar patterns that causes this? Total
shot in the dark with that guess for the reason for the extended start
up times.

-- Eoin


------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: