Snort mailing list archives

Re: Slow snort startup, plus flowbit issues

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 6 Oct 2014 21:28:49 +0000

This has nothing to do with the flowbits per say..  it’s just Snort starting up like its supposed to.

On Oct 6, 2014, at 2:22 PM, Bill Bernsen <bill.bernsen () nyu edu> wrote:

Run an strace on the pid to confirm but I've noticed that snort initialization can be super slow due to initial 
memory allocation. This'll be indicated by a long series of brk() calls in the output

On Mon, Oct 6, 2014 at 2:19 PM, Y M <snort () outlook com <mailto:snort () outlook com>> wrote:
This kind of behavior is usually observed (I did) when there is a large number of rules are enabled, specifically, if 
you have specified to enable all rules (enablesid.conf). 

YM

Date: Mon, 6 Oct 2014 13:09:02 -0400
From: adimino () sempersecurus org <mailto:adimino () sempersecurus org>
To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Slow snort startup, plus flowbit issues


I'm having two issues with my PulledPork/Snort instance.  I mostly use this instance for offline scanning of pcaps, 
so typically the Snort and PulledPork initialization is done in the background.
Recently I noticed that it took a very long time to process a pcap, so I ran Snort initialization and test in the 
console. 

First, despite using PulledPork, I get a huge number of flowbit warnings.  Right after that, the Snort initialization 
seems to hang for about three minutes before completing.
The output looks like this:
:
:
:
WARNING: flowbits key 'file.caff' is set but not ever checked.
WARNING: flowbits key 'ET.Hupinit1' is checked but not ever set.
WARNING: flowbits key 'ETPRO.NetServEnum' is set but not ever checked.
WARNING: flowbits key 'ppt.download' is set but not ever checked.
WARNING: flowbits key 'file.macho64be' is set but not ever checked.
WARNING: flowbits key 'Omerta_1_3_conn_2' is checked but not ever set.
WARNING: flowbits key 'IBFS32.insecure.dll' is checked but not ever set.
WARNING: flowbits key 'ETPRO.Banload.YE <http://etpro.banload.ye/>' is set but not ever checked.
WARNING: flowbits key 'ETPRO.header.UHCa' is set but not ever checked.
WARNING: flowbits key 'http.stat_code_407' is set but not ever checked.
1186 out of 2048 flowbits in use.

<hangs here for about 3 minutes>


[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q 
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 831
|     1 byte states : 767
|     2 byte states : 59
|     4 byte states : 5
| Characters        : 1776907
| States            : 957996
| Transitions       : 123569332
| State Density     : 50.4%
| Patterns          : 107743
| Match States      : 134735
| Memory (MB)       : 841.66
|   Patterns        : 11.61
|   Match Lists     : 53.36
|   DFA
|     1 byte states : 5.73
|     2 byte states : 160.77
|     4 byte states : 608.68
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 17917 ]

        --== Initialization Complete ==--

Any idea why the long wait between flowbit checking and snort startup?  Also, what might be contributing to all the 
flowbit warnings despite PulledPork going through the flowbit check?
I'm using Snort v2.9.6.2 and PulledPork v0.7.0
Many thanks in advance.

Andre'

-- 

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org <http://deependresearch.org/>
http://sempersecurus.org <http://sempersecurus.org/>

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff 
that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk 
<http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk>
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net 
<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org 
<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk 
<http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk>
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>

Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!



-- 
Bill Bernsen                                                    Network Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security <http://www.nyu.edu/its/security>
------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Slow snort startup, plus flowbit issues Andre DiMino (Oct 06)
- Re: Slow snort startup, plus flowbit issues Y M (Oct 06)
  - Re: Slow snort startup, plus flowbit issues Bill Bernsen (Oct 06)
    - Re: Slow snort startup, plus flowbit issues Joel Esler (jesler) (Oct 06)
- Re: Slow snort startup, plus flowbit issues waldo kitty (Oct 06)
  - Re: Slow snort startup, plus flowbit issues Andre DiMino (Oct 06)