Snort mailing list archives
2.6.1 and LOOOONG startup times plus more ignore_scanners info
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 17 Nov 2006 05:12:38 -0700
Sooo....I nuked: config detection: search-method ac-sparsebands and now snort starts with no ignore_scanners error (from my previous post) with config detection: search-method ac-sparsebands enabled snort takes about 800 megs of ram. Without it, snort now takes 1.4 gigs of ram. Snort 2.6.1 now takes almost a full 15 minutes to fully start now Nov 17 04:51:58 myshield snort[29273]: Daemon parent exiting Nov 17 05:06:08 myshield snort[29274]: Snort initialization completed successfully (pid=29274) Nov 17 05:06:08 myshield snort[29274]: Not Using PCAP_FRAMES Including config below: var HOME_NET [192.168.0.0/24,exip] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS 192.168.0.2 var SMTP_SERVERS 192.168.0.2 var HTTP_SERVERS 192.168.0.2 var SQL_SERVERS 192.168.0.2 var TELNET_SERVERS 192.168.0.2 var SNMP_SERVERS 192.168.0.2 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /chroot/snort/etc/snort/rules var SSH_PORTS 22 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: detect_scans, detect_state_problems, disable_evasion_alerts preprocessor stream4_reassemble: both, ports[all] preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor smtp: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } \ ignore_scanners { 192.168.0.3,192.168.0.2 } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user= password= dbname= host=192.168.0.3 include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/mysql.rules include $RULE_PATH/smtp.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/experimental.rules include $RULE_PATH/bleeding-botcc.rules include $RULE_PATH/bleeding-drop.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding.rules include $RULE_PATH/community-bot.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/community-exploit.rules include $RULE_PATH/community-game.rules include $RULE_PATH/community-icmp.rules include $RULE_PATH/community-imap.rules include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/community-mail-client.rules include $RULE_PATH/community-misc.rules include $RULE_PATH/community-smtp.rules include $RULE_PATH/community-sql-injection.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/community-web-attacks.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-misc.rules include $RULE_PATH/community-web-php.rules ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.6.1 and LOOOONG startup times plus more ignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Justin Heath (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plusmoreignore_scanners info John York (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Nigel Houghton (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Justin Heath (Nov 17)