[Snort-users] Slow Start Times (5 minutes +)

Eoin Miller eoin.miller at ...14586...
Wed Nov 9 17:02:19 EST 2011


Scripted the creation of a lot of signatures to look for some specific 
domain/host names inside of http_header and noticed that snort now seems 
to take quite a while to start up when these signatures are loaded (5 
minutes).

Example rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT"; 
content:"domain1.com|0D 0A|"; http_header; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT"; 
content:"domain2.com|0D 0A|"; http_header; sid:2; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT"; 
content:"domain3.com|0D 0A|"; http_header; sid:3; rev:1;)
...
and so on and so forth
...

While snort is starting up, the processor is pegged at 100% for this 
time period until it drops privs to deamonize and processes the pcap 
file in no time at all after it gets rolling. I did some simple analysis 
just using the 'time' command and processing a VERY small pcap (like ~10 
packets) file with various numbers of rules to see how long it took. 
Below is the number of example style rules and the time it took for 
snort to start up and process the ~10 packet file:

01000 rules:
real    0m2.089s
user    0m1.000s
sys     0m0.097s

02000 rules:
real    0m3.324s
user    0m2.200s
sys     0m0.132s

03000 rules:
real    0m4.909s
user    0m3.766s
sys     0m0.150s

04000 rules:
real    0m6.878s
user    0m5.705s
sys     0m0.179s

05000 rules:
real    0m9.288s
user    0m8.063s
sys     0m0.231s

06000 rules:
real    0m12.267s
user    0m11.035s
sys     0m0.236s

07000 rules:
real    0m16.034s
user    0m14.767s
sys     0m0.266s

08000 rules:
real    0m20.464s
user    0m19.148s
sys     0m0.318s

09000 rules:
real    0m27.713s
user    0m26.380s
sys     0m0.332s

10000 rules:
real    0m37.173s
user    0m35.811s
sys     0m0.363s

11000 rules:
real    0m52.529s
user    0m51.074s
sys     0m0.457s

12000 rules:
real    1m17.307s
user    1m15.771s
sys     0m0.526s

13000 rules:
real    1m45.878s
user    1m44.328s
sys     0m0.530s

14000 rules:
real    2m34.341s
user    2m32.678s
sys     0m0.648s

15000 rules:
real    3m23.892s
user    3m22.185s
sys     0m0.685s

16000 rules:
real    4m11.174s
user    4m9.279s
sys     0m0.850s

17000 rules:
real    4m54.605s
user    4m52.632s
sys     0m0.915s


This doesn't seem entirely normal for this few rules, I am guessing 
there is some review/optimization for the pattern matching that is going 
on when the sigs all end/share similar patterns that causes this? Total 
shot in the dark with that guess for the reason for the extended start 
up times.

-- Eoin




More information about the Snort-users mailing list