Re: disable Verifying Preprocessor Configurations

[Hussein Bahaidarah <husseinb () gmail com>]

Thanks Russ,

You have clearly explained the issue. Would you please tell me which search method is better to conserve memory and yet 
still performs will with the fast pattern?

Thanks,


On Jul 8, 2011, at 12:05 AM, Russ Combs wrote:



On Thu, Jul 7, 2011 at 5:57 PM, Hussein Bahaidarah <husseinb () gmail com> wrote:
Hello,

50K might be a lot. However, none of them need a preprocessor. My concern is why preprocessing verification is still 
taking place?

It is verifying an empty list of preprocessors.  Happens very quickly.  :)  That line is always output.

The next step has to do with fast pattern setup and that is what is taking some time.
 
On Jul 7, 2011, at 11:46 PM, Joel Esler wrote:

You are loading 50 thousand rules, and you are wondering why Snort is taking a long time to start up?


On Jul 7, 2011, at 5:25 PM, Hussein Bahaidarah wrote:

> Hi,
>
> Yes, all lines are commented out. by the way, I am using beta version 2.9.1. Snort initialization shows that no 
> preprocessor rules are used.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 50001 Snort rules read
>   50001 detection rules
>   0 decoder rules
>   0 preprocessor rules
> 50001 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> On Jul 7, 2011, at 9:46 PM, waldo kitty wrote:
>
> On 7/7/2011 15:26, Hussein Bahaidarah wrote:
> > Hello,
> >
> > I am not using any preprocessor.
>
> really? no preprocessors at all?? each and every one of them are commented out
> in your snort.conf?
>
> > However, still snort does the "Verifying Preprocessor Configurations" step at the loading stage. Is there any way to 
> > turn this off as it takes long time as the rule file grows.
> >
> > "
> > Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
> > Verifying Preprocessor Configurations!
> > "
> >
> > Thanks
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation



------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation


------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation