[Snort-users] 2.6.1 and LOOOONG startup times plus moreignore_scanners info

James Lay jlay at ...13475...
Fri Nov 17 11:16:58 EST 2006


Wow good questions :D  Ok..here is the info:

Distro is Slackware 10.2

Compiled Snort with:

./configure --with-mysql=/usr/local/mysql --enable-dynamicplugin

I have some streaming media and a trickle of ssh traffic..this is just a
home setup, so not a lot of traffic present.

Are the below all the mem options I have?
ac | ac-std | ac-bnfa | acs | ac-banded | ac-sparsebands | lowmem 

After initial startup, snort with ac-sparsebands is using 52% of 1 gig of
memory..which is about how it was running with 2.6.0

And HOLY SMACKERS!  Ac-bnfa sure made a difference!  Tested with that and
now snort is using 9% of memory, and init time was less then a minute!

09:10:35 myshield snort[31109]: Daemon initialized, signaled parent pid:
31108
09:10:35 myshield snort[31108]: Daemon parent exiting
09:11:10 myshield snort[31109]: Snort initialization completed successfully
(pid=31109)
09:11:10 myshield snort[31109]: Not Using PCAP_FRAMES

I'll see how this flies throughout the day.  Thank you!!

James
-----Original Message-----
From: snort-users-bounces at lists.sourceforge.net
[mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Justin Heath
Sent: Friday, November 17, 2006 5:56 AM
To: Forward4James
Cc: Snort
Subject: Re: [Snort-users] 2.6.1 and LOOOONG startup times plus
moreignore_scanners info

Can you provide more information regarding your setup? If so ...

What OS/Distro and OS/Distro version are you running?

Did you compile by hand or use the binaries from snort.org?

If you compiled by hand what configure arguments, cflags etc. did you use?

How much traffic is passing my the monitoring interface that Snort is
configured to listen to?

What results did you see with the new pattern matcher (ac-bnfa) enabled?

Cheers,
Justin Heath

On 11/17/06, James Lay <jlay at ...13475...> wrote:
> Sooo....I nuked:
>
>
> config detection: search-method ac-sparsebands
>
> and now snort starts with no ignore_scanners error (from my previous
> post)
>
> with
>
> config detection: search-method ac-sparsebands
>
> enabled snort takes about 800 megs of ram.  Without it, snort now 
> takes
> 1.4 gigs of ram.  Snort 2.6.1 now takes almost a full 15 minutes to 
> fully start now
>
>
> Nov 17 04:51:58 myshield snort[29273]: Daemon parent exiting Nov 17 
> 05:06:08 myshield snort[29274]: Snort initialization completed 
> successfully (pid=29274) Nov 17 05:06:08 myshield snort[29274]: Not 
> Using PCAP_FRAMES
>
> Including config below:
>
> var HOME_NET [192.168.0.0/24,exip]
> var EXTERNAL_NET !$HOME_NET
> var DNS_SERVERS 192.168.0.2
> var SMTP_SERVERS 192.168.0.2
> var HTTP_SERVERS 192.168.0.2
> var SQL_SERVERS 192.168.0.2
> var TELNET_SERVERS 192.168.0.2
> var SNMP_SERVERS 192.168.0.2
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS 
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0
> /24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.18
> 8.153.0/24,205.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /chroot/snort/etc/snort/rules var SSH_PORTS 22 
> dynamicpreprocessor directory 
> /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: 
> max_frags 65536 preprocessor frag3_engine: policy first 
> detect_anomalies preprocessor stream4: detect_scans, 
> detect_state_problems, disable_evasion_alerts preprocessor 
> stream4_reassemble: both, ports[all] preprocessor http_inspect: global 
> \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 } oversize_dir_length 500
>
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor smtp: \
>   ports { 25 } \
>   inspection_type stateful \
>   normalize cmds \
>   normalize_cmds { EXPN VRFY RCPT } \
>   alt_max_command_line_len 260 { MAIL } \
>   alt_max_command_line_len 300 { RCPT } \
>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>   alt_max_command_line_len 255 { EXPN VRFY }
>
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low } \
>                          ignore_scanners { 192.168.0.3,192.168.0.2 }
>
> preprocessor dcerpc: \
>     autodetect \
>     max_frag_size 3000 \
>     memcap 100000
>
> preprocessor dns: \
>     ports { 53 } \
>     enable_rdata_overflow
>
> output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, 
> user= password= dbname= host=192.168.0.3
>
> include classification.config
> include reference.config
>
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
>
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules include 
> $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules 
> include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules 
> include $RULE_PATH/web-php.rules
>
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules include 
> $RULE_PATH/mysql.rules
>
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/shellcode.rules
> include $RULE_PATH/policy.rules
> include $RULE_PATH/porn.rules
> include $RULE_PATH/info.rules
> include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/experimental.rules
>
> include $RULE_PATH/bleeding-botcc.rules include 
> $RULE_PATH/bleeding-drop.rules include 
> $RULE_PATH/bleeding-dshield.rules include 
> $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-web.rules 
> include $RULE_PATH/bleeding-attack_response.rules
> include $RULE_PATH/bleeding-dos.rules
> include $RULE_PATH/bleeding-exploit.rules include 
> $RULE_PATH/bleeding-game.rules include 
> $RULE_PATH/bleeding-inappropriate.rules
> include $RULE_PATH/bleeding-malware.rules include 
> $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding.rules
>
> include $RULE_PATH/community-bot.rules include 
> $RULE_PATH/community-dos.rules include 
> $RULE_PATH/community-exploit.rules
> include $RULE_PATH/community-game.rules include 
> $RULE_PATH/community-icmp.rules include 
> $RULE_PATH/community-imap.rules include 
> $RULE_PATH/community-inappropriate.rules
> include $RULE_PATH/community-mail-client.rules
> include $RULE_PATH/community-misc.rules include 
> $RULE_PATH/community-smtp.rules include 
> $RULE_PATH/community-sql-injection.rules
> include $RULE_PATH/community-virus.rules include 
> $RULE_PATH/community-web-attacks.rules
> include $RULE_PATH/community-web-client.rules
> include $RULE_PATH/community-web-dos.rules
> include $RULE_PATH/community-web-misc.rules
> include $RULE_PATH/community-web-php.rules
>
> ----------------------------------------------------------------------
> --- Take Surveys. Earn Cash. Influence the Future of IT Join 
> SourceForge.net's Techsay panel and you'll get the chance to share 
> your opinions on IT & business topics through brief surveys - and earn 
> cash 
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
> DEV _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's
Techsay panel and you'll get the chance to share your opinions on IT &
business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list