Snort mailing list archives
Re: Slow snort startup, plus flowbit issues
From: Andre DiMino <adimino () sempersecurus org>
Date: Mon, 6 Oct 2014 21:22:46 -0400
Thanks everyone. Right after the flowbits check, and during the "Port Based Pattern Matching Memory " initialization, the CPU jumps to 100% and memory usage to 25% of free. From what I'm hearing, it's typical and expected behavior. I can certainly deal with it. However for running multiple, one-off offline scans, it does slow the effort down a bit. Now to figure out what's up with PulledPork and the flowbit warnings. I do have many rules enabled, so this might be throwing things off a bit. Thanks again folks, for sharing your findings on this. Andre' On Mon, Oct 6, 2014 at 2:20 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 10/6/2014 1:09 PM, Andre DiMino wrote: [...]WARNING: flowbits key 'http.stat_code_407' is set but not ever checked. 1186 out of 2048 flowbits in use. <hangs here for about 3 minutes>if you are on *nix, watch top with SHIFT-M (to sort programs by memory usage) when snort is starting up... i suspect that you'll see this is where it is getting everything loaded into memory... we see a similar delay over here and always have... our startup tool times out after 30 seconds of no communication from the starter-scripts that fire up all our processes and it always complains about this... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Slow snort startup, plus flowbit issues Andre DiMino (Oct 06)
- Re: Slow snort startup, plus flowbit issues Y M (Oct 06)
- Re: Slow snort startup, plus flowbit issues Bill Bernsen (Oct 06)
- Re: Slow snort startup, plus flowbit issues Joel Esler (jesler) (Oct 06)
- Re: Slow snort startup, plus flowbit issues Bill Bernsen (Oct 06)
- Re: Slow snort startup, plus flowbit issues waldo kitty (Oct 06)
- Re: Slow snort startup, plus flowbit issues Andre DiMino (Oct 06)
- Re: Slow snort startup, plus flowbit issues Y M (Oct 06)