[Snort-users] Slow snort Initialization.

Joel Esler joel.esler at ...1935...
Thu May 10 13:15:10 EDT 2007


First things first.

in your snort.conf place this:

config detection: search-method ac-bnfa

See what that does for you.

J


On Thu, May 10, 2007 at 12:43:28PM -0400, it looks like Ralph Crongeyer sent me:
> Hi list,
> I'm new to snort and the list.
> 
> We (my company) are in the process of updating our snort version from 2.4 
> to 2.6.1.4 and I am having this problem (if it is a problem).
> 
> Background:
> Debian "Etch"
> 
> libpcap (most current version) from http://public.lanl.gov/cpw/ (Phil 
> Wood's libpcap) compiled from source.
> 
> snort 2.6.1.4 compiled from source with libpcap compiled in (static). 
> Configured like this:
> LDFLAGS=-static ./configure --enable-pthread --disable-dynamicplugin --with-
> libpcap-includes=/opt/libpcap-0.9x.20070323 --with-libpcap-
> libraries=/opt/libpcap-0.9x.20070323
> 
> Problem:
> It takes up to 6 min to initialize. 6 min to go from this:
> 
> ############################################
> Initializing Network Interface eth2
> OpenPcap() device eth2 network lookup:
>         eth2: no IPv4 address assigned
> Decoding Ethernet on interface eth2
> ############################################
> 
> to being ready to snort:
> 
> ############################################
>         --== Initialization Complete ==--
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.6.1.4 (Build 54)
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
> 
> Using PCAP_FRAMES = 32768
> ############################################
> 
> We have alot of rules... however our previous version (2.4) processes 
> everything and is initialized in seconds?
> 
> Can anone help me speed this up?
> 
> Thanks
> Ralph
> 
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 






+-----
joel esler | security consultant | Sourcefire | http://demo.sourcefire.com/jesler.pgp.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070510/eff5878f/attachment.sig>


More information about the Snort-users mailing list