[Snort-users] Slow Start Times (5 minutes +)
eoin.miller at ...14586...
Thu Nov 10 15:37:50 EST 2011
On 11/10/2011 1:57 PM, JJC wrote:
> There are certainly optimizations... I would, however, be curious about how
> much memory that your system has and how much is being used... Could be a
> simple sizing issue... and 17K rules is a ton of rules!
Definitely isn't due to a lack of RAM:
Mem: 74172428k total, 44161812k used, 30010616k free, 503960k buffers
Mem: 8174188k total, 3894432k used, 4279756k free, 517068k buffers
Swap: 4194288k total, 0k used, 4194288k free, 842948k cached
It isn't paging/swapping when it is doing this, processor is totally
pegged though. And IIRC, if it was disk swapping/waiting stuff, that
would show up as system in the time command output:
Since all the time is user, then it should be the Snort process its self
needing this amount of processing power to load up the rules.
17k is a ton of rules, but the engine runs with all that loaded up
pretty darn good (plus other rulesets on top of these even). It is just
the startup time that takes forever.
More information about the Snort-users