Re: Slow Start Times (5 minutes +)

[Eoin Miller <eoin.miller () trojanedbinaries com>]

On 11/10/2011 1:57 PM, JJC wrote:
> There are certainly optimizations... I would, however, be curious about how
> much memory that your system has and how much is being used...  Could be a
> simple sizing issue... and 17K rules is a ton of rules!

Definitely isn't due to a lack of RAM:
Mem:  74172428k total, 44161812k used, 30010616k free,   503960k buffers

Or:
Mem:   8174188k total,  3894432k used,  4279756k free,   517068k buffers
Swap:  4194288k total,        0k used,  4194288k free,   842948k cached

It isn't paging/swapping when it is doing this, processor is totally 
pegged though. And IIRC, if it was disk swapping/waiting stuff, that 
would show up as system in the time command output:

real    4m54.605s
user    4m52.632s
sys     0m0.915s

Since all the time is user, then it should be the Snort process its self 
needing this amount of processing power to load up the rules.

17k is a ton of rules, but the engine runs with all that loaded up 
pretty darn good (plus other rulesets on top of these even). It is just 
the startup time that takes forever.

-- Eoin

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!