Re: [Snort-users] Slow snort Initialization.

--===============1076441232==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="eAbsdosE1cNLO4uF"
Content-Disposition: inline


--eAbsdosE1cNLO4uF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

First things first.

in your snort.conf place this:

config detection: search-method ac-bnfa

See what that does for you.

J


On Thu, May 10, 2007 at 12:43:28PM -0400, it looks like Ralph Crongeyer sen=
t me:
> Hi list,
> I'm new to snort and the list.
>=20
> We (my company) are in the process of updating our snort version from 2.4=
=20
> to 2.6.1.4 and I am having this problem (if it is a problem).
>=20
> Background:
> Debian "Etch"
>=20
> libpcap (most current version) from http://public.lanl.gov/cpw/ (Phil=20
> Wood's libpcap) compiled from source.
>=20
> snort 2.6.1.4 compiled from source with libpcap compiled in (static).=20
> Configured like this:
> LDFLAGS=3D-static ./configure --enable-pthread --disable-dynamicplugin --=
with-
> libpcap-includes=3D/opt/libpcap-0.9x.20070323 --with-libpcap-
> libraries=3D/opt/libpcap-0.9x.20070323
>=20
> Problem:
> It takes up to 6 min to initialize. 6 min to go from this:
>=20
> ############################################
> Initializing Network Interface eth2
> OpenPcap() device eth2 network lookup:
> eth2: no IPv4 address assigned
> Decoding Ethernet on interface eth2
> ############################################
>=20
> to being ready to snort:
>=20
> ############################################
> --=3D=3D Initialization Complete =3D=3D--
>=20
> ,,_ -*> Snort! <*-
> o" )~ Version 2.6.1.4 (Build 54)
> '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.h=
tml
> (C) Copyright 1998-2007 Sourcefire Inc., et al.
>=20
> Using PCAP_FRAMES =3D 32768
> ############################################
>=20
> We have alot of rules... however our previous version (2.4) processes=20
> everything and is initialized in seconds?
>=20
> Can anone help me speed this up?
>=20
> Thanks
> Ralph
>=20
>=20
>=20
>=20
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
>=20






+-----
joel esler | security consultant | Sourcefire | http://demo.sourcefire.com/=
jesler.pgp.key

--eAbsdosE1cNLO4uF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFGQ1McKbCSyXHckt4RAlWLAJ0SC861VAcPAbOnugpBA/2UuoZvgwCfUVkP
UjnMy2XmRTk3IAOf9ovzfjY=
=61y+
-----END PGP SIGNATURE-----

--eAbsdosE1cNLO4uF--


--===============1076441232==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
--===============1076441232==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--===============1076441232==--