Snort mailing list archives
Slow snort startup, plus flowbit issues
From: Andre DiMino <adimino () sempersecurus org>
Date: Mon, 6 Oct 2014 13:09:02 -0400
I'm having two issues with my PulledPork/Snort instance. I mostly use this
instance for offline scanning of pcaps, so typically the Snort and
PulledPork initialization is done in the background.
Recently I noticed that it took a very long time to process a pcap, so I
ran Snort initialization and test in the console.
First, despite using PulledPork, I get a huge number of flowbit warnings.
Right after that, the Snort initialization seems to hang for about three
minutes before completing.
The output looks like this:
:
:
:
WARNING: flowbits key 'file.caff' is set but not ever checked.
WARNING: flowbits key 'ET.Hupinit1' is checked but not ever set.
WARNING: flowbits key 'ETPRO.NetServEnum' is set but not ever checked.
WARNING: flowbits key 'ppt.download' is set but not ever checked.
WARNING: flowbits key 'file.macho64be' is set but not ever checked.
WARNING: flowbits key 'Omerta_1_3_conn_2' is checked but not ever set.
WARNING: flowbits key 'IBFS32.insecure.dll' is checked but not ever set.
WARNING: flowbits key 'ETPRO.Banload.YE' is set but not ever checked.
WARNING: flowbits key 'ETPRO.header.UHCa' is set but not ever checked.
WARNING: flowbits key 'http.stat_code_407' is set but not ever checked.
1186 out of 2048 flowbits in use.
<hangs here for about 3 minutes>
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 831
| 1 byte states : 767
| 2 byte states : 59
| 4 byte states : 5
| Characters : 1776907
| States : 957996
| Transitions : 123569332
| State Density : 50.4%
| Patterns : 107743
| Match States : 134735
| Memory (MB) : 841.66
| Patterns : 11.61
| Match Lists : 53.36
| DFA
| 1 byte states : 5.73
| 2 byte states : 160.77
| 4 byte states : 608.68
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 17917 ]
--== Initialization Complete ==--
Any idea why the long wait between flowbit checking and snort startup?
Also, what might be contributing to all the flowbit warnings
despite PulledPork going through the flowbit check?
I'm using Snort v2.9.6.2 and PulledPork v0.7.0
Many thanks in advance.
Andre'
--
Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Slow snort startup, plus flowbit issues Andre DiMino (Oct 06)
- Re: Slow snort startup, plus flowbit issues Y M (Oct 06)
- Re: Slow snort startup, plus flowbit issues Bill Bernsen (Oct 06)
- Re: Slow snort startup, plus flowbit issues Joel Esler (jesler) (Oct 06)
- Re: Slow snort startup, plus flowbit issues Bill Bernsen (Oct 06)
- Re: Slow snort startup, plus flowbit issues waldo kitty (Oct 06)
- Re: Slow snort startup, plus flowbit issues Andre DiMino (Oct 06)
- Re: Slow snort startup, plus flowbit issues Y M (Oct 06)