[Snort-users] disable Verifying Preprocessor Configurations

Hussein Bahaidarah husseinb at ...11827...
Thu Jul 7 17:57:53 EDT 2011


Hello,

50K might be a lot. However, none of them need a preprocessor. My concern is why preprocessing verification is still taking place?
On Jul 7, 2011, at 11:46 PM, Joel Esler wrote:

You are loading 50 thousand rules, and you are wondering why Snort is taking a long time to start up?


On Jul 7, 2011, at 5:25 PM, Hussein Bahaidarah wrote:

> Hi,
> 
> Yes, all lines are commented out. by the way, I am using beta version 2.9.1. Snort initialization shows that no preprocessor rules are used.
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 50001 Snort rules read
>   50001 detection rules
>   0 decoder rules
>   0 preprocessor rules
> 50001 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> On Jul 7, 2011, at 9:46 PM, waldo kitty wrote:
> 
> On 7/7/2011 15:26, Hussein Bahaidarah wrote:
>> Hello,
>> 
>> I am not using any preprocessor.
> 
> really? no preprocessors at all?? each and every one of them are commented out 
> in your snort.conf?
> 
>> However, still snort does the "Verifying Preprocessor Configurations" step at the loading stage. Is there any way to turn this off as it takes long time as the rule file grows.
>> 
>> "
>> Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
>> Verifying Preprocessor Configurations!
>> "
>> 
>> Thanks
> 
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security 
> threats, fraudulent activity, and more. Splunk takes this data and makes 
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation
> 
> 
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security 
> threats, fraudulent activity, and more. Splunk takes this data and makes 
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation






More information about the Snort-users mailing list