[Snort-users] disable Verifying Preprocessor Configurations

Will Metcalf william.metcalf at ...11827...
Thu Jul 7 18:08:01 EDT 2011


I'm not sure what you are trying to accomplish with 50k rules, but I'm
guessing you have the wrong tool for the job. Just my 2 cents...

Regards,

Will

On Thu, Jul 7, 2011 at 4:57 PM, Hussein Bahaidarah <husseinb at ...11827...> wrote:
> Hello,
>
> 50K might be a lot. However, none of them need a preprocessor. My concern is why preprocessing verification is still taking place?
> On Jul 7, 2011, at 11:46 PM, Joel Esler wrote:
>
> You are loading 50 thousand rules, and you are wondering why Snort is taking a long time to start up?
>
>
> On Jul 7, 2011, at 5:25 PM, Hussein Bahaidarah wrote:
>
>> Hi,
>>
>> Yes, all lines are commented out. by the way, I am using beta version 2.9.1. Snort initialization shows that no preprocessor rules are used.
>>
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Initializing rule chains...
>> 50001 Snort rules read
>>   50001 detection rules
>>   0 decoder rules
>>   0 preprocessor rules
>> 50001 Option Chains linked into 1 Chain Headers
>> 0 Dynamic rules
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> On Jul 7, 2011, at 9:46 PM, waldo kitty wrote:
>>
>> On 7/7/2011 15:26, Hussein Bahaidarah wrote:
>>> Hello,
>>>
>>> I am not using any preprocessor.
>>
>> really? no preprocessors at all?? each and every one of them are commented out
>> in your snort.conf?
>>
>>> However, still snort does the "Verifying Preprocessor Configurations" step at the loading stage. Is there any way to turn this off as it takes long time as the rule file grows.
>>>
>>> "
>>> Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
>>> Verifying Preprocessor Configurations!
>>> "
>>>
>>> Thanks
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>




More information about the Snort-users mailing list