[Snort-users] command line options...

waldo kitty wkitty42 at ...14940...
Sat Sep 25 20:23:29 EDT 2010


On 9/25/2010 15:48, Joel Esler wrote:
>
> On Fri, Sep 24, 2010 at 5:56 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>     anyway, back to trying to figure out why we now have three snort processes when
>     we used to only have one... we're testing these compile time options...
>
>        --enable-gre
>        --enable-mpls
>        --enable-targetbased
>        --enable-decoder-preprocessor-rules
>        --enable-ppm
>        --enable-perfprofiling
>        --enable-zlib
>        --enable-reload
>
>
> You have three because of the reload option.  (I thought it was two tho, maybe
> Russ can answer back).

yes, i finally saw a comment during the cold loading that the reload thread was 
started... what's the third thread for?


and have i maybe found a bug? when i SIGHUB snort with the above configuration, 
it uses additional memory instead of blowing it out and starting over... here's 
top from a cold start up and after a SIGHUP...

[cold start]
top - 20:02:17 up 43 days, 10:54,  4 users,  load average: 0.07, 0.07, 0.06
Tasks:  61 total,   1 running,  60 sleeping,   0 stopped,   0 zombie
Cpu(s): 15.0%us,  4.3%sy,  0.0%ni, 80.4%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st
Mem:    516492k total,   507108k used,     9384k free,    14668k buffers
Swap:   516088k total,    20672k used,   495416k free,   137692k cached

   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
27036 snort     15   0  181m 153m 1632 S  0.0 30.3   0:55.72 snort
27037 root      16   0  181m 153m 1632 S  0.0 30.3   0:00.00 snort
27038 root      16   0  181m 153m 1632 S  0.0 30.3   0:00.00 snort



[SIGHUP]
top - 20:06:16 up 43 days, 10:58,  4 users,  load average: 0.97, 0.57, 0.25
Tasks:  60 total,   1 running,  59 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.7%us,  0.7%sy,  0.0%ni, 96.4%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st
Mem:    516492k total,   507540k used,     8952k free,     3068k buffers
Swap:   516088k total,    64644k used,   451444k free,    76320k cached

   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
27036 snort     16   0  295m 249m 1976 S  0.0 49.5   0:56.14 snort
27037 root      16   0  295m 249m 1976 S  0.0 49.5   0:00.00 snort
27038 root      16   0  295m 249m 1976 S  0.0 49.5   1:39.28 snort


every SIGHUP causes snort to use more and more memory... i was hoping that it 
would be faster than unloading and cold starting but it isn't... it still takes 
60+ seconds to complete... but then again, i have a large number of rules, too...

Sep 25 20:17:24 perseus snort[27036]: 12499 Snort rules read
Sep 25 20:17:24 perseus snort[27036]:     12263 detection rules
Sep 25 20:17:24 perseus snort[27036]:     72 decoder rules
Sep 25 20:17:24 perseus snort[27036]:     164 preprocessor rules
Sep 25 20:17:24 perseus snort[27036]: 12499 Option Chains linked into 1831 Chain 
Headers
Sep 25 20:17:24 perseus snort[27036]: 0 Dynamic rules

i'm also confused about the "0 Dynamic rules"... aren't those the SO rules? we 
know that my SO rules are firing as i posted a GID:3 yesterday asking something 
with it that i've not had answered yet :? :(




More information about the Snort-users mailing list