Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Slow snort startup, plus flowbit issues

From: Andre DiMino <adimino () sempersecurus org>
Date: Mon, 6 Oct 2014 21:22:46 -0400
Thanks everyone.  Right after the flowbits check, and during the "Port
Based Pattern Matching Memory " initialization, the CPU jumps to 100% and
memory usage to 25% of free.  From what I'm hearing, it's typical and
expected behavior.
I can certainly deal with it. However for running multiple, one-off offline
scans, it does slow the effort down a bit.

Now to figure out what's up with PulledPork and the flowbit warnings.  I do
have many rules enabled, so this might be throwing things off a bit.

Thanks again folks, for sharing your findings on this.

Andre'

On Mon, Oct 6, 2014 at 2:20 PM, waldo kitty <wkitty42 () windstream net> wrote:


On 10/6/2014 1:09 PM, Andre DiMino wrote:
[...]

WARNING: flowbits key 'http.stat_code_407' is set but not ever checked.
1186 out of 2048 flowbits in use.

<hangs here for about 3 minutes>


if you are on *nix, watch top with SHIFT-M (to sort programs by memory
usage)
when snort is starting up... i suspect that you'll see this is where it is
getting everything loaded into memory... we see a similar delay over here
and
always have... our startup tool times out after 30 seconds of no
communication
from the starter-scripts that fire up all our processes and it always
complains
about this...

--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.


------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.

http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-- 

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: