[Snort-users] Slow snort Initialization.

Ralph Crongeyer ralph at ...14120...
Thu May 10 12:43:28 EDT 2007


Hi list,
I'm new to snort and the list.

We (my company) are in the process of updating our snort version from 2.4 
to 2.6.1.4 and I am having this problem (if it is a problem).

Background:
Debian "Etch"

libpcap (most current version) from http://public.lanl.gov/cpw/ (Phil 
Wood's libpcap) compiled from source.

snort 2.6.1.4 compiled from source with libpcap compiled in (static). 
Configured like this:
LDFLAGS=-static ./configure --enable-pthread --disable-dynamicplugin --with-
libpcap-includes=/opt/libpcap-0.9x.20070323 --with-libpcap-
libraries=/opt/libpcap-0.9x.20070323

Problem:
It takes up to 6 min to initialize. 6 min to go from this:

############################################
Initializing Network Interface eth2
OpenPcap() device eth2 network lookup:
        eth2: no IPv4 address assigned
Decoding Ethernet on interface eth2
############################################

to being ready to snort:

############################################
        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.1.4 (Build 54)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using PCAP_FRAMES = 32768
############################################

We have alot of rules... however our previous version (2.4) processes 
everything and is initialized in seconds?

Can anone help me speed this up?

Thanks
Ralph







More information about the Snort-users mailing list