Snort mailing list archives
Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info
From: "Justin Heath" <justin.heath () gmail com>
Date: Fri, 17 Nov 2006 07:55:56 -0500
Can you provide more information regarding your setup? If so ... What OS/Distro and OS/Distro version are you running? Did you compile by hand or use the binaries from snort.org? If you compiled by hand what configure arguments, cflags etc. did you use? How much traffic is passing my the monitoring interface that Snort is configured to listen to? What results did you see with the new pattern matcher (ac-bnfa) enabled? Cheers, Justin Heath On 11/17/06, James Lay <jlay () slave-tothe-box net> wrote:
Sooo....I nuked:
config detection: search-method ac-sparsebands
and now snort starts with no ignore_scanners error (from my previous
post)
with
config detection: search-method ac-sparsebands
enabled snort takes about 800 megs of ram. Without it, snort now takes
1.4 gigs of ram. Snort 2.6.1 now takes almost a full 15 minutes to
fully start now
Nov 17 04:51:58 myshield snort[29273]: Daemon parent exiting
Nov 17 05:06:08 myshield snort[29274]: Snort initialization
completed successfully (pid=29274)
Nov 17 05:06:08 myshield snort[29274]: Not Using PCAP_FRAMES
Including config below:
var HOME_NET [192.168.0.0/24,exip]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS 192.168.0.2
var SMTP_SERVERS 192.168.0.2
var HTTP_SERVERS 192.168.0.2
var SQL_SERVERS 192.168.0.2
var TELNET_SERVERS 192.168.0.2
var SNMP_SERVERS 192.168.0.2
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /chroot/snort/etc/snort/rules
var SSH_PORTS 22
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: detect_scans, detect_state_problems, disable_evasion_alerts
preprocessor stream4_reassemble: both, ports[all]
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low } \
ignore_scanners { 192.168.0.3,192.168.0.2 }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user= password= dbname= host=192.168.0.3
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding.rules
include $RULE_PATH/community-bot.rules
include $RULE_PATH/community-dos.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/community-game.rules
include $RULE_PATH/community-icmp.rules
include $RULE_PATH/community-imap.rules
include $RULE_PATH/community-inappropriate.rules
include $RULE_PATH/community-mail-client.rules
include $RULE_PATH/community-misc.rules
include $RULE_PATH/community-smtp.rules
include $RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/community-web-attacks.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.6.1 and LOOOONG startup times plus more ignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Justin Heath (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plusmoreignore_scanners info John York (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Nigel Houghton (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Justin Heath (Nov 17)