[Snort-users] Solved. Re: Slow snort Initialization.

Ralph Crongeyer ralph at ...14120...
Fri May 11 11:14:47 EDT 2007


That fixes the problem.....

Thanks Joel!

PS: What does ac-bnfa mean/do?

Thanks

Ralph

Joel Esler <joel.esler at ...1935...> wrote: 
>

First things first.
>
>in your snort.conf place this:
>
>config detection: search-method ac-bnfa
>
>See what that does for you.
>
>J
>
>
>On Thu, May 10, 2007 at 12:43:28PM -0400, it looks like Ralph Crongeyer
>sent me:
>> Hi list,
>> I'm new to snort and the list.
>> 
>> We (my company) are in the process of updating our snort version from 2.4
>
>> to 2.6.1.4 and I am having this problem (if it is a problem).
>> 
>> Background:
>> Debian "Etch"
>> 
>> libpcap (most current version) from http://public.lanl.gov/cpw/ (Phil 
>> Wood's libpcap) compiled from source.
>> 
>> snort 2.6.1.4 compiled from source with libpcap compiled in (static). 
>> Configured like this:
>> LDFLAGS=-static ./configure --enable-pthread --disable-dynamicplugin
>--with-
>> libpcap-includes=/opt/libpcap-0.9x.20070323 --with-libpcap-
>> libraries=/opt/libpcap-0.9x.20070323
>> 
>> Problem:
>> It takes up to 6 min to initialize. 6 min to go from this:
>> 
>> ############################################
>> Initializing Network Interface eth2
>> OpenPcap() device eth2 network lookup:
>>         eth2: no IPv4 address assigned
>> Decoding Ethernet on interface eth2
>> ############################################
>> 
>> to being ready to snort:
>> 
>> ############################################
>>         --== Initialization Complete ==--
>> 
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.6.1.4 (Build 54)
>>    ''''    By Martin Roesch & The Snort Team:
>http://www.snort.org/team.html
>>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>> 
>> Using PCAP_FRAMES = 32768
>> ############################################
>> 
>> We have alot of rules... however our previous version (2.4) processes 
>> everything and is initialized in seconds?
>> 
>> Can anone help me speed this up?
>> 
>> Thanks
>> Ralph
>> 
>> 
>> 
>> 
>>
>-------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>
>
>
>
>
>
>+-----
>joel esler | security consultant | Sourcefire |
>http://demo.sourcefire.com/jesler.pgp.key
>
>






More information about the Snort-users mailing list