Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Slow snort startup, plus flowbit issues

From: Bill Bernsen <bill.bernsen () nyu edu>
Date: Mon, 6 Oct 2014 14:22:26 -0400
Run an strace on the pid to confirm but I've noticed that snort
initialization can be super slow due to initial memory allocation. This'll
be indicated by a long series of brk() calls in the output

On Mon, Oct 6, 2014 at 2:19 PM, Y M <snort () outlook com> wrote:


This kind of behavior is usually observed (I did) when there is a large
number of rules are enabled, specifically, if you have specified to enable
all rules (enablesid.conf).

YM

------------------------------
Date: Mon, 6 Oct 2014 13:09:02 -0400
From: adimino () sempersecurus org
To: snort-users () lists sourceforge net
Subject: [Snort-users] Slow snort startup, plus flowbit issues


I'm having two issues with my PulledPork/Snort instance.  I mostly use
this instance for offline scanning of pcaps, so typically the Snort and
PulledPork initialization is done in the background.
Recently I noticed that it took a very long time to process a pcap, so I
ran Snort initialization and test in the console.

First, despite using PulledPork, I get a huge number of flowbit warnings.
Right after that, the Snort initialization seems to hang for about three
minutes before completing.
The output looks like this:
:
:
:
WARNING: flowbits key 'file.caff' is set but not ever checked.
WARNING: flowbits key 'ET.Hupinit1' is checked but not ever set.
WARNING: flowbits key 'ETPRO.NetServEnum' is set but not ever checked.
WARNING: flowbits key 'ppt.download' is set but not ever checked.
WARNING: flowbits key 'file.macho64be' is set but not ever checked.
WARNING: flowbits key 'Omerta_1_3_conn_2' is checked but not ever set.
WARNING: flowbits key 'IBFS32.insecure.dll' is checked but not ever set.
WARNING: flowbits key 'ETPRO.Banload.YE' is set but not ever checked.
WARNING: flowbits key 'ETPRO.header.UHCa' is set but not ever checked.
WARNING: flowbits key 'http.stat_code_407' is set but not ever checked.
1186 out of 2048 flowbits in use.

<hangs here for about 3 minutes>


[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 831
|     1 byte states : 767
|     2 byte states : 59
|     4 byte states : 5
| Characters        : 1776907
| States            : 957996
| Transitions       : 123569332
| State Density     : 50.4%
| Patterns          : 107743
| Match States      : 134735
| Memory (MB)       : 841.66
|   Patterns        : 11.61
|   Match Lists     : 53.36
|   DFA
|     1 byte states : 5.73
|     2 byte states : 160.77
|     4 byte states : 608.68
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 17917 ]

        --== Initialization Complete ==--

Any idea why the long wait between flowbit checking and snort startup?
Also, what might be contributing to all the flowbit warnings
despite PulledPork going through the flowbit check?
I'm using Snort v2.9.6.2 and PulledPork v0.7.0
Many thanks in advance.

Andre'

--

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

------------------------------------------------------------------------------
Slashdot TV. Videos for Nerds. Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.

http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-- 
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: