[Snort-users] Slow Start Times (5 minutes +)

JJC cummingsj at ...11827...
Thu Nov 10 08:57:01 EST 2011


There are certainly optimizations... I would, however, be curious about how
much memory that your system has and how much is being used...  Could be a
simple sizing issue... and 17K rules is a ton of rules!

On Wed, Nov 9, 2011 at 3:02 PM, Eoin Miller <
eoin.miller at ...14586...> wrote:

> Scripted the creation of a lot of signatures to look for some specific
> domain/host names inside of http_header and noticed that snort now seems
> to take quite a while to start up when these signatures are loaded (5
> minutes).
>
> Example rules:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT";
> content:"domain1.com|0D 0A|"; http_header; sid:1; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT";
> content:"domain2.com|0D 0A|"; http_header; sid:2; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ALERT";
> content:"domain3.com|0D 0A|"; http_header; sid:3; rev:1;)
> ...
> and so on and so forth
> ...
>
> While snort is starting up, the processor is pegged at 100% for this
> time period until it drops privs to deamonize and processes the pcap
> file in no time at all after it gets rolling. I did some simple analysis
> just using the 'time' command and processing a VERY small pcap (like ~10
> packets) file with various numbers of rules to see how long it took.
> Below is the number of example style rules and the time it took for
> snort to start up and process the ~10 packet file:
>
> 01000 rules:
> real    0m2.089s
> user    0m1.000s
> sys     0m0.097s
>
> 02000 rules:
> real    0m3.324s
> user    0m2.200s
> sys     0m0.132s
>
> 03000 rules:
> real    0m4.909s
> user    0m3.766s
> sys     0m0.150s
>
> 04000 rules:
> real    0m6.878s
> user    0m5.705s
> sys     0m0.179s
>
> 05000 rules:
> real    0m9.288s
> user    0m8.063s
> sys     0m0.231s
>
> 06000 rules:
> real    0m12.267s
> user    0m11.035s
> sys     0m0.236s
>
> 07000 rules:
> real    0m16.034s
> user    0m14.767s
> sys     0m0.266s
>
> 08000 rules:
> real    0m20.464s
> user    0m19.148s
> sys     0m0.318s
>
> 09000 rules:
> real    0m27.713s
> user    0m26.380s
> sys     0m0.332s
>
> 10000 rules:
> real    0m37.173s
> user    0m35.811s
> sys     0m0.363s
>
> 11000 rules:
> real    0m52.529s
> user    0m51.074s
> sys     0m0.457s
>
> 12000 rules:
> real    1m17.307s
> user    1m15.771s
> sys     0m0.526s
>
> 13000 rules:
> real    1m45.878s
> user    1m44.328s
> sys     0m0.530s
>
> 14000 rules:
> real    2m34.341s
> user    2m32.678s
> sys     0m0.648s
>
> 15000 rules:
> real    3m23.892s
> user    3m22.185s
> sys     0m0.685s
>
> 16000 rules:
> real    4m11.174s
> user    4m9.279s
> sys     0m0.850s
>
> 17000 rules:
> real    4m54.605s
> user    4m52.632s
> sys     0m0.915s
>
>
> This doesn't seem entirely normal for this few rules, I am guessing
> there is some review/optimization for the pattern matching that is going
> on when the sigs all end/share similar patterns that causes this? Total
> shot in the dark with that guess for the reason for the extended start
> up times.
>
> -- Eoin
>
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111110/24bcacfc/attachment.html>


More information about the Snort-users mailing list