[Snort-users] Solved. Re: Slow snort Initialization.

Joel Esler joel.esler at ...1935...
Fri May 11 11:20:25 EDT 2007


It's a new search method introduced in ~2.6.1.  It's "just as fast" as
AC, but not so much of a memory hog and starts up faster.

J

Ralph Crongeyer wrote:
> That fixes the problem.....
> 
> Thanks Joel!
> 
> PS: What does ac-bnfa mean/do?
> 
> Thanks
> 
> Ralph
> 
> Joel Esler <joel.esler at ...1935...> wrote: 
> 
> First things first.
>> in your snort.conf place this:
>>
>> config detection: search-method ac-bnfa
>>
>> See what that does for you.
>>
>> J
>>
>>
>> On Thu, May 10, 2007 at 12:43:28PM -0400, it looks like Ralph Crongeyer
>> sent me:
>>> Hi list,
>>> I'm new to snort and the list.
>>>
>>> We (my company) are in the process of updating our snort version from 2.4
>>> to 2.6.1.4 and I am having this problem (if it is a problem).
>>>
>>> Background:
>>> Debian "Etch"
>>>
>>> libpcap (most current version) from http://public.lanl.gov/cpw/ (Phil 
>>> Wood's libpcap) compiled from source.
>>>
>>> snort 2.6.1.4 compiled from source with libpcap compiled in (static). 
>>> Configured like this:
>>> LDFLAGS=-static ./configure --enable-pthread --disable-dynamicplugin
>> --with-
>>> libpcap-includes=/opt/libpcap-0.9x.20070323 --with-libpcap-
>>> libraries=/opt/libpcap-0.9x.20070323
>>>
>>> Problem:
>>> It takes up to 6 min to initialize. 6 min to go from this:
>>>
>>> ############################################
>>> Initializing Network Interface eth2
>>> OpenPcap() device eth2 network lookup:
>>>         eth2: no IPv4 address assigned
>>> Decoding Ethernet on interface eth2
>>> ############################################
>>>
>>> to being ready to snort:
>>>
>>> ############################################
>>>         --== Initialization Complete ==--
>>>
>>>    ,,_     -*> Snort! <*-
>>>   o"  )~   Version 2.6.1.4 (Build 54)
>>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/team.html
>>>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>>>
>>> Using PCAP_FRAMES = 32768
>>> ############################################
>>>
>>> We have alot of rules... however our previous version (2.4) processes 
>>> everything and is initialized in seconds?
>>>
>>> Can anone help me speed this up?
>>>
>>> Thanks
>>> Ralph
>>>
>>>
>>>
>>>
>>>
>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by DB2 Express
>>> Download DB2 Express C - the FREE version of DB2 express and take
>>> control of your XML. No limits. Just data. Click to get it now.
>>> http://sourceforge.net/powerbar/db2/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>>
>>
>> +-----
>> joel esler | security consultant | Sourcefire |
>> http://demo.sourcefire.com/jesler.pgp.key
>>
>>
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 






+-----
joel esler | security consultant | Sourcefire |
http://demo.sourcefire.com/jesler.pgp.key




More information about the Snort-users mailing list