[Snort-users] 2.6.1 and LOOOONG startup times plus more ignore_scanners info

Justin Heath justin.heath at ...11827...
Fri Nov 17 07:55:56 EST 2006


Can you provide more information regarding your setup? If so ...

What OS/Distro and OS/Distro version are you running?

Did you compile by hand or use the binaries from snort.org?

If you compiled by hand what configure arguments, cflags etc. did you use?

How much traffic is passing my the monitoring interface that Snort is
configured to listen to?

What results did you see with the new pattern matcher (ac-bnfa) enabled?

Cheers,
Justin Heath

On 11/17/06, James Lay <jlay at ...13475...> wrote:
> Sooo....I nuked:
>
>
> config detection: search-method ac-sparsebands
>
> and now snort starts with no ignore_scanners error (from my previous
> post)
>
> with
>
> config detection: search-method ac-sparsebands
>
> enabled snort takes about 800 megs of ram.  Without it, snort now takes
> 1.4 gigs of ram.  Snort 2.6.1 now takes almost a full 15 minutes to
> fully start now
>
>
> Nov 17 04:51:58 myshield snort[29273]: Daemon parent exiting
> Nov 17 05:06:08 myshield snort[29274]: Snort initialization
> completed successfully (pid=29274)
> Nov 17 05:06:08 myshield snort[29274]: Not Using PCAP_FRAMES
>
> Including config below:
>
> var HOME_NET [192.168.0.0/24,exip]
> var EXTERNAL_NET !$HOME_NET
> var DNS_SERVERS 192.168.0.2
> var SMTP_SERVERS 192.168.0.2
> var HTTP_SERVERS 192.168.0.2
> var SQL_SERVERS 192.168.0.2
> var TELNET_SERVERS 192.168.0.2
> var SNMP_SERVERS 192.168.0.2
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /chroot/snort/etc/snort/rules
> var SSH_PORTS 22
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> preprocessor stream4: detect_scans, detect_state_problems, disable_evasion_alerts
> preprocessor stream4_reassemble: both, ports[all]
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 } oversize_dir_length 500
>
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor smtp: \
>   ports { 25 } \
>   inspection_type stateful \
>   normalize cmds \
>   normalize_cmds { EXPN VRFY RCPT } \
>   alt_max_command_line_len 260 { MAIL } \
>   alt_max_command_line_len 300 { RCPT } \
>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>   alt_max_command_line_len 255 { EXPN VRFY }
>
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low } \
>                          ignore_scanners { 192.168.0.3,192.168.0.2 }
>
> preprocessor dcerpc: \
>     autodetect \
>     max_frag_size 3000 \
>     memcap 100000
>
> preprocessor dns: \
>     ports { 53 } \
>     enable_rdata_overflow
>
> output alert_syslog: LOG_AUTH LOG_ALERT
> output database: log, mysql, user= password= dbname= host=192.168.0.3
>
> include classification.config
> include reference.config
>
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
>
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
>
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/mysql.rules
>
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/shellcode.rules
> include $RULE_PATH/policy.rules
> include $RULE_PATH/porn.rules
> include $RULE_PATH/info.rules
> include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/experimental.rules
>
> include $RULE_PATH/bleeding-botcc.rules
> include $RULE_PATH/bleeding-drop.rules
> include $RULE_PATH/bleeding-dshield.rules
> include $RULE_PATH/bleeding-virus.rules
> include $RULE_PATH/bleeding-web.rules
> include $RULE_PATH/bleeding-attack_response.rules
> include $RULE_PATH/bleeding-dos.rules
> include $RULE_PATH/bleeding-exploit.rules
> include $RULE_PATH/bleeding-game.rules
> include $RULE_PATH/bleeding-inappropriate.rules
> include $RULE_PATH/bleeding-malware.rules
> include $RULE_PATH/bleeding-scan.rules
> include $RULE_PATH/bleeding.rules
>
> include $RULE_PATH/community-bot.rules
> include $RULE_PATH/community-dos.rules
> include $RULE_PATH/community-exploit.rules
> include $RULE_PATH/community-game.rules
> include $RULE_PATH/community-icmp.rules
> include $RULE_PATH/community-imap.rules
> include $RULE_PATH/community-inappropriate.rules
> include $RULE_PATH/community-mail-client.rules
> include $RULE_PATH/community-misc.rules
> include $RULE_PATH/community-smtp.rules
> include $RULE_PATH/community-sql-injection.rules
> include $RULE_PATH/community-virus.rules
> include $RULE_PATH/community-web-attacks.rules
> include $RULE_PATH/community-web-client.rules
> include $RULE_PATH/community-web-dos.rules
> include $RULE_PATH/community-web-misc.rules
> include $RULE_PATH/community-web-php.rules
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list