[Snort-users] disable Verifying Preprocessor Configurations

Hussein Bahaidarah husseinb at ...11827...
Thu Jul 7 18:30:05 EDT 2011


Thanks Russ,

You have clearly explained the issue. Would you please tell me which search method is better to conserve memory and yet still performs will with the fast pattern?

Thanks,


On Jul 8, 2011, at 12:05 AM, Russ Combs wrote:



On Thu, Jul 7, 2011 at 5:57 PM, Hussein Bahaidarah <husseinb at ...11827...> wrote:
Hello,

50K might be a lot. However, none of them need a preprocessor. My concern is why preprocessing verification is still taking place?

It is verifying an empty list of preprocessors.  Happens very quickly.  :)  That line is always output.

The next step has to do with fast pattern setup and that is what is taking some time.
 
On Jul 7, 2011, at 11:46 PM, Joel Esler wrote:

You are loading 50 thousand rules, and you are wondering why Snort is taking a long time to start up?


On Jul 7, 2011, at 5:25 PM, Hussein Bahaidarah wrote:

> Hi,
>
> Yes, all lines are commented out. by the way, I am using beta version 2.9.1. Snort initialization shows that no preprocessor rules are used.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 50001 Snort rules read
>   50001 detection rules
>   0 decoder rules
>   0 preprocessor rules
> 50001 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> On Jul 7, 2011, at 9:46 PM, waldo kitty wrote:
>
> On 7/7/2011 15:26, Hussein Bahaidarah wrote:
>> Hello,
>>
>> I am not using any preprocessor.
>
> really? no preprocessors at all?? each and every one of them are commented out
> in your snort.conf?
>
>> However, still snort does the "Verifying Preprocessor Configurations" step at the loading stage. Is there any way to turn this off as it takes long time as the rule file grows.
>>
>> "
>> Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
>> Verifying Preprocessor Configurations!
>> "
>>
>> Thanks
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation



------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110708/07245ce3/attachment.html>


More information about the Snort-users mailing list