Snort mailing list archives
Re: command line options...
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 25 Sep 2010 20:23:29 -0400
On 9/25/2010 15:48, Joel Esler wrote:
On Fri, Sep 24, 2010 at 5:56 PM, waldo kitty <wkitty42 () windstream net> wrote: anyway, back to trying to figure out why we now have three snort processes when we used to only have one... we're testing these compile time options... --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-reload You have three because of the reload option. (I thought it was two tho, maybe Russ can answer back).
yes, i finally saw a comment during the cold loading that the reload thread was started... what's the third thread for? and have i maybe found a bug? when i SIGHUB snort with the above configuration, it uses additional memory instead of blowing it out and starting over... here's top from a cold start up and after a SIGHUP... [cold start] top - 20:02:17 up 43 days, 10:54, 4 users, load average: 0.07, 0.07, 0.06 Tasks: 61 total, 1 running, 60 sleeping, 0 stopped, 0 zombie Cpu(s): 15.0%us, 4.3%sy, 0.0%ni, 80.4%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st Mem: 516492k total, 507108k used, 9384k free, 14668k buffers Swap: 516088k total, 20672k used, 495416k free, 137692k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 27036 snort 15 0 181m 153m 1632 S 0.0 30.3 0:55.72 snort 27037 root 16 0 181m 153m 1632 S 0.0 30.3 0:00.00 snort 27038 root 16 0 181m 153m 1632 S 0.0 30.3 0:00.00 snort [SIGHUP] top - 20:06:16 up 43 days, 10:58, 4 users, load average: 0.97, 0.57, 0.25 Tasks: 60 total, 1 running, 59 sleeping, 0 stopped, 0 zombie Cpu(s): 0.7%us, 0.7%sy, 0.0%ni, 96.4%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st Mem: 516492k total, 507540k used, 8952k free, 3068k buffers Swap: 516088k total, 64644k used, 451444k free, 76320k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 27036 snort 16 0 295m 249m 1976 S 0.0 49.5 0:56.14 snort 27037 root 16 0 295m 249m 1976 S 0.0 49.5 0:00.00 snort 27038 root 16 0 295m 249m 1976 S 0.0 49.5 1:39.28 snort every SIGHUP causes snort to use more and more memory... i was hoping that it would be faster than unloading and cold starting but it isn't... it still takes 60+ seconds to complete... but then again, i have a large number of rules, too... Sep 25 20:17:24 perseus snort[27036]: 12499 Snort rules read Sep 25 20:17:24 perseus snort[27036]: 12263 detection rules Sep 25 20:17:24 perseus snort[27036]: 72 decoder rules Sep 25 20:17:24 perseus snort[27036]: 164 preprocessor rules Sep 25 20:17:24 perseus snort[27036]: 12499 Option Chains linked into 1831 Chain Headers Sep 25 20:17:24 perseus snort[27036]: 0 Dynamic rules i'm also confused about the "0 Dynamic rules"... aren't those the SO rules? we know that my SO rules are firing as i posted a GID:3 yesterday asking something with it that i've not had answered yet :? :( ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- command line options... waldo kitty (Sep 23)
- Re: command line options... Jefferson, Shawn (Sep 23)
- Re: command line options... waldo kitty (Sep 23)
- Re: command line options... Russ Combs (Sep 23)
- Re: command line options... waldo kitty (Sep 23)
- Re: command line options... Russ Combs (Sep 24)
- Re: command line options... waldo kitty (Sep 24)
- Re: command line options... Joel Esler (Sep 25)
- Re: command line options... waldo kitty (Sep 25)
- Re: command line options... Joel Esler (Sep 25)
- Re: command line options... waldo kitty (Sep 25)
- Re: command line options... waldo kitty (Sep 23)
- Re: command line options... Jefferson, Shawn (Sep 23)