[Snort-users] disable Verifying Preprocessor Configurations

Russ Combs rcombs at ...1935...
Thu Jul 7 18:05:27 EDT 2011


On Thu, Jul 7, 2011 at 5:57 PM, Hussein Bahaidarah <husseinb at ...11827...>wrote:

> Hello,
>
> 50K might be a lot. However, none of them need a preprocessor. My concern
> is why preprocessing verification is still taking place?
>

It is verifying an empty list of preprocessors.  Happens very quickly.  :)
That line is always output.

The next step has to do with fast pattern setup and that is what is taking
some time.


> On Jul 7, 2011, at 11:46 PM, Joel Esler wrote:
>
> You are loading 50 thousand rules, and you are wondering why Snort is
> taking a long time to start up?
>
>
> On Jul 7, 2011, at 5:25 PM, Hussein Bahaidarah wrote:
>
> > Hi,
> >
> > Yes, all lines are commented out. by the way, I am using beta version
> 2.9.1. Snort initialization shows that no preprocessor rules are used.
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > 50001 Snort rules read
> >   50001 detection rules
> >   0 decoder rules
> >   0 preprocessor rules
> > 50001 Option Chains linked into 1 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > On Jul 7, 2011, at 9:46 PM, waldo kitty wrote:
> >
> > On 7/7/2011 15:26, Hussein Bahaidarah wrote:
> >> Hello,
> >>
> >> I am not using any preprocessor.
> >
> > really? no preprocessors at all?? each and every one of them are
> commented out
> > in your snort.conf?
> >
> >> However, still snort does the "Verifying Preprocessor Configurations"
> step at the loading stage. Is there any way to turn this off as it takes
> long time as the rule file grows.
> >>
> >> "
> >> Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> >> Verifying Preprocessor Configurations!
> >> "
> >>
> >> Thanks
> >
> >
> ------------------------------------------------------------------------------
> > All of the data generated in your IT infrastructure is seriously
> valuable.
> > Why? It contains a definitive record of application performance, security
> > threats, fraudulent activity, and more. Splunk takes this data and makes
> > sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-d2d-c2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please see http://www.snort.org/docs for documentation
> >
> >
> >
> ------------------------------------------------------------------------------
> > All of the data generated in your IT infrastructure is seriously
> valuable.
> > Why? It contains a definitive record of application performance, security
> > threats, fraudulent activity, and more. Splunk takes this data and makes
> > sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-d2d-c2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please see http://www.snort.org/docs for documentation
>
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110707/e5f3cd7a/attachment.html>


More information about the Snort-users mailing list