Snort mailing list archives
Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info
From: "James Lay" <jlay () slave-tothe-box net>
Date: Fri, 17 Nov 2006 09:16:58 -0700
Wow good questions :D Ok..here is the info: Distro is Slackware 10.2 Compiled Snort with: ./configure --with-mysql=/usr/local/mysql --enable-dynamicplugin I have some streaming media and a trickle of ssh traffic..this is just a home setup, so not a lot of traffic present. Are the below all the mem options I have? ac | ac-std | ac-bnfa | acs | ac-banded | ac-sparsebands | lowmem After initial startup, snort with ac-sparsebands is using 52% of 1 gig of memory..which is about how it was running with 2.6.0 And HOLY SMACKERS! Ac-bnfa sure made a difference! Tested with that and now snort is using 9% of memory, and init time was less then a minute! 09:10:35 myshield snort[31109]: Daemon initialized, signaled parent pid: 31108 09:10:35 myshield snort[31108]: Daemon parent exiting 09:11:10 myshield snort[31109]: Snort initialization completed successfully (pid=31109) 09:11:10 myshield snort[31109]: Not Using PCAP_FRAMES I'll see how this flies throughout the day. Thank you!! James -----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of Justin Heath Sent: Friday, November 17, 2006 5:56 AM To: Forward4James Cc: Snort Subject: Re: [Snort-users] 2.6.1 and LOOOONG startup times plus moreignore_scanners info Can you provide more information regarding your setup? If so ... What OS/Distro and OS/Distro version are you running? Did you compile by hand or use the binaries from snort.org? If you compiled by hand what configure arguments, cflags etc. did you use? How much traffic is passing my the monitoring interface that Snort is configured to listen to? What results did you see with the new pattern matcher (ac-bnfa) enabled? Cheers, Justin Heath On 11/17/06, James Lay <jlay () slave-tothe-box net> wrote:
Sooo....I nuked:
config detection: search-method ac-sparsebands
and now snort starts with no ignore_scanners error (from my previous
post)
with
config detection: search-method ac-sparsebands
enabled snort takes about 800 megs of ram. Without it, snort now
takes
1.4 gigs of ram. Snort 2.6.1 now takes almost a full 15 minutes to
fully start now
Nov 17 04:51:58 myshield snort[29273]: Daemon parent exiting Nov 17
05:06:08 myshield snort[29274]: Snort initialization completed
successfully (pid=29274) Nov 17 05:06:08 myshield snort[29274]: Not
Using PCAP_FRAMES
Including config below:
var HOME_NET [192.168.0.0/24,exip]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS 192.168.0.2
var SMTP_SERVERS 192.168.0.2
var HTTP_SERVERS 192.168.0.2
var SQL_SERVERS 192.168.0.2
var TELNET_SERVERS 192.168.0.2
var SNMP_SERVERS 192.168.0.2
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0
/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.18
8.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /chroot/snort/etc/snort/rules var SSH_PORTS 22
dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global:
max_frags 65536 preprocessor frag3_engine: policy first
detect_anomalies preprocessor stream4: detect_scans,
detect_state_problems, disable_evasion_alerts preprocessor
stream4_reassemble: both, ports[all] preprocessor http_inspect: global
\
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low } \
ignore_scanners { 192.168.0.3,192.168.0.2 }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql,
user= password= dbname= host=192.168.0.3
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules include
$RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules include
$RULE_PATH/mysql.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding-botcc.rules include
$RULE_PATH/bleeding-drop.rules include
$RULE_PATH/bleeding-dshield.rules include
$RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-exploit.rules include
$RULE_PATH/bleeding-game.rules include
$RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules include
$RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding.rules
include $RULE_PATH/community-bot.rules include
$RULE_PATH/community-dos.rules include
$RULE_PATH/community-exploit.rules
include $RULE_PATH/community-game.rules include
$RULE_PATH/community-icmp.rules include
$RULE_PATH/community-imap.rules include
$RULE_PATH/community-inappropriate.rules
include $RULE_PATH/community-mail-client.rules
include $RULE_PATH/community-misc.rules include
$RULE_PATH/community-smtp.rules include
$RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-virus.rules include
$RULE_PATH/community-web-attacks.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules
----------------------------------------------------------------------
--- Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share
your opinions on IT & business topics through brief surveys - and earn
cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
DEV _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.6.1 and LOOOONG startup times plus more ignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Justin Heath (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plusmoreignore_scanners info John York (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Nigel Houghton (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus moreignore_scanners info James Lay (Nov 17)
- Re: 2.6.1 and LOOOONG startup times plus more ignore_scanners info Justin Heath (Nov 17)