[Snort-users] Slow Start Times (5 minutes +)

Eoin Miller eoin.miller at ...14586...
Thu Nov 10 15:37:50 EST 2011


On 11/10/2011 1:57 PM, JJC wrote:
> There are certainly optimizations... I would, however, be curious about how
> much memory that your system has and how much is being used...  Could be a
> simple sizing issue... and 17K rules is a ton of rules!
>

Definitely isn't due to a lack of RAM:
Mem:  74172428k total, 44161812k used, 30010616k free,   503960k buffers

Or:
Mem:   8174188k total,  3894432k used,  4279756k free,   517068k buffers
Swap:  4194288k total,        0k used,  4194288k free,   842948k cached

It isn't paging/swapping when it is doing this, processor is totally 
pegged though. And IIRC, if it was disk swapping/waiting stuff, that 
would show up as system in the time command output:

real    4m54.605s
user    4m52.632s
sys     0m0.915s

Since all the time is user, then it should be the Snort process its self 
needing this amount of processing power to load up the rules.

17k is a ton of rules, but the engine runs with all that loaded up 
pretty darn good (plus other rulesets on top of these even). It is just 
the startup time that takes forever.

-- Eoin




More information about the Snort-users mailing list