Solved. Re: Slow snort Initialization.

[Ralph Crongeyer <ralph () crongeyer com>]

That fixes the problem.....

Thanks Joel!

PS: What does ac-bnfa mean/do?

Thanks

Ralph

Joel Esler <joel.esler () sourcefire com> wrote: 
>

First things first.
> in your snort.conf place this:
>
> config detection: search-method ac-bnfa
>
> See what that does for you.
>
> J
>
>
> On Thu, May 10, 2007 at 12:43:28PM -0400, it looks like Ralph Crongeyer
> sent me:
> > Hi list,
> > I'm new to snort and the list.
> >
> > We (my company) are in the process of updating our snort version from 2.4
>
> > to 2.6.1.4 and I am having this problem (if it is a problem).
> >
> > Background:
> > Debian "Etch"
> >
> > libpcap (most current version) from http://public.lanl.gov/cpw/ (Phil 
> > Wood's libpcap) compiled from source.
> >
> > snort 2.6.1.4 compiled from source with libpcap compiled in (static). 
> > Configured like this:
> > LDFLAGS=-static ./configure --enable-pthread --disable-dynamicplugin
> --with-
> > libpcap-includes=/opt/libpcap-0.9x.20070323 --with-libpcap-
> > libraries=/opt/libpcap-0.9x.20070323
> >
> > Problem:
> > It takes up to 6 min to initialize. 6 min to go from this:
> >
> > ############################################
> > Initializing Network Interface eth2
> > OpenPcap() device eth2 network lookup:
> >         eth2: no IPv4 address assigned
> > Decoding Ethernet on interface eth2
> > ############################################
> >
> > to being ready to snort:
> >
> > ############################################
> >         --== Initialization Complete ==--
> >
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.6.1.4 (Build 54)
> >    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> >            (C) Copyright 1998-2007 Sourcefire Inc., et al.
> >
> > Using PCAP_FRAMES = 32768
> > ############################################
> >
> > We have alot of rules... however our previous version (2.4) processes 
> > everything and is initialized in seconds?
> >
> > Can anone help me speed this up?
> >
> > Thanks
> > Ralph
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
> +-----
> joel esler | security consultant | Sourcefire |
> http://demo.sourcefire.com/jesler.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users