2.6.1 and LOOOONG startup times plus more ignore_scanners info

[James Lay <jlay () slave-tothe-box net>]

Sooo....I nuked:


config detection: search-method ac-sparsebands

and now snort starts with no ignore_scanners error (from my previous
post)

with 

config detection: search-method ac-sparsebands

enabled snort takes about 800 megs of ram.  Without it, snort now takes
1.4 gigs of ram.  Snort 2.6.1 now takes almost a full 15 minutes to
fully start now 


Nov 17 04:51:58 myshield snort[29273]: Daemon parent exiting  
Nov 17 05:06:08 myshield snort[29274]: Snort initialization
completed successfully (pid=29274) 
Nov 17 05:06:08 myshield snort[29274]: Not Using PCAP_FRAMES

Including config below:

var HOME_NET [192.168.0.0/24,exip]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS 192.168.0.2
var SMTP_SERVERS 192.168.0.2
var HTTP_SERVERS 192.168.0.2
var SQL_SERVERS 192.168.0.2
var TELNET_SERVERS 192.168.0.2
var SNMP_SERVERS 192.168.0.2
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /chroot/snort/etc/snort/rules
var SSH_PORTS 22
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: detect_scans, detect_state_problems, disable_evasion_alerts
preprocessor stream4_reassemble: both, ports[all]
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default \
    profile all ports { 80 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor smtp: \
  ports { 25 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }

preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low } \
                         ignore_scanners { 192.168.0.3,192.168.0.2 }

preprocessor dcerpc: \
    autodetect \
    max_frag_size 3000 \
    memcap 100000

preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow

output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user= password= dbname= host=192.168.0.3

include classification.config
include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/mysql.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/experimental.rules

include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding.rules

include $RULE_PATH/community-bot.rules
include $RULE_PATH/community-dos.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/community-game.rules
include $RULE_PATH/community-icmp.rules
include $RULE_PATH/community-imap.rules
include $RULE_PATH/community-inappropriate.rules
include $RULE_PATH/community-mail-client.rules
include $RULE_PATH/community-misc.rules
include $RULE_PATH/community-smtp.rules
include $RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/community-web-attacks.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users