Snort mailing list archives
Re: Snort 2.9.6.0 and number of rules
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 6 Mar 2014 12:47:43 +0000
If you built with --enable-debug, drop the -D and start Snort in the debugger. You should be able to get a bt if something bad happens. ________________________________ From: Y M [snort () outlook com] Sent: Thursday, March 06, 2014 3:20 AM To: snort-users Subject: Re: [Snort-users] Snort 2.9.6.0 and number of rules Did some troubleshooting and it seems Snort starts reading the first pcap file and then exits without reading the rest of the same pcap or remaining pcap files. Running Snort as daemon results: Reading network traffic from "/tmp/pcaps/pcap1.pcap" with snaplen = 1514 Spawning daemon child... My daemon child 4216 lives... Parent waiting for child... Child terminated unexpectedly (0) Daemon parent exiting (0) So I recompiled Snort with --enable-debug --enable-debug-msgs --enable-gdb. Running gdb bt always returns "No Stack.". I also used export SNORT_DEBUG and SNORT_PP_DEBUG with values from snort_debug.h, which did not print any messages. ________________________________ From: snort () outlook com To: snort-users () lists sourceforge net Date: Sun, 2 Mar 2014 16:39:42 +0000 Subject: [Snort-users] Snort 2.9.6.0 and number of rules We have a development/testing Snort box (VM) running Snort 2.9.6.0 that we mainly use for testing custom rules. We are experiencing an odd behavior depending on the number of rules enabled. For instance, we have a set of 4 pcaps that we are currently working on with the following sizes: pcap1.pcap --> 6.2 MB pcap2.pcap --> 2.4 MB pcap3.pcap --> 17.9 MB pcap4.pcap --> 2.2 MB If the rules are setup to run the Security policy, then we get the associated alerts that we are expecting to be generated (over 1700 alerts) including both VRT and our custom alerts. The pcaps are being read through --pcap-dir and --pcap-show. However, if all of the rules are enabled and we run the same command we only get 2 alerts (1 VRT and 1 custom). The same behavior also happens when run snort against the pcaps individually using the -r command. I tested the same pcaps using the above scenario against a VM running Snort 2.9.5.6 and we always get the expected behavior as above (over 1700 alerts). One thing I noticed is that when using the Security policy, is that when Snort completes reading the pcap, the exit statistics are displayed. However, when having all of the rules enables, exit statistics do not display at all. Both VMs running Snort 2.9.5.6 and 2.9.6.0 has the same configurations and the same number of rules with exception that Snort 2.9.6.0 was configured with the file_inspect preprocessor, though it is disabled. I recompiled Snort with only --enable-sourcefire and --enable-reload, but the same odd behavior remained. The VM running Snort 2.9.6.0 has a 12 core cpu and 8 GB of RAM. Has anyone experienced the same behavior or tested Snort with all the rules enabled against some pcaps? I must be doing something stupid here or there. Thanks. YM ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.6.0 and number of rules Y M (Mar 02)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Russ Combs (rucombs) (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 26)
- Re: Snort 2.9.6.0 and number of rules Russ Combs (rucombs) (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 06)