Snort mailing list archives
Re: Slow snort startup, plus flowbit issues
From: Y M <snort () outlook com>
Date: Mon, 6 Oct 2014 18:19:09 +0000
This kind of behavior is usually observed (I did) when there is a large number of rules are enabled, specifically, if
you have specified to enable all rules (enablesid.conf).
YM
Date: Mon, 6 Oct 2014 13:09:02 -0400
From: adimino () sempersecurus org
To: snort-users () lists sourceforge net
Subject: [Snort-users] Slow snort startup, plus flowbit issues
I'm having two issues with my PulledPork/Snort instance. I mostly use this instance for offline scanning of pcaps, so
typically the Snort and PulledPork initialization is done in the background.Recently I noticed that it took a very long
time to process a pcap, so I ran Snort initialization and test in the console.
First, despite using PulledPork, I get a huge number of flowbit warnings. Right after that, the Snort initialization
seems to hang for about three minutes before completing.The output looks like this::
::WARNING: flowbits key 'file.caff' is set but not ever checked.WARNING: flowbits key 'ET.Hupinit1' is checked but not
ever set.WARNING: flowbits key 'ETPRO.NetServEnum' is set but not ever checked.WARNING: flowbits key 'ppt.download' is
set but not ever checked.WARNING: flowbits key 'file.macho64be' is set but not ever checked.WARNING: flowbits key
'Omerta_1_3_conn_2' is checked but not ever set.WARNING: flowbits key 'IBFS32.insecure.dll' is checked but not ever
set.WARNING: flowbits key 'ETPRO.Banload.YE' is set but not ever checked.WARNING: flowbits key 'ETPRO.header.UHCa' is
set but not ever checked.WARNING: flowbits key 'http.stat_code_407' is set but not ever checked.1186 out of 2048
flowbits in use.
<hangs here for about 3 minutes>
[ Port Based Pattern Matching Memory ]+- [ Aho-Corasick Summary ] -------------------------------------| Storage Format
: Full-Q | Finite Automaton : DFA| Alphabet Size : 256 Chars| Sizeof State : Variable (1,2,4 bytes)|
Instances : 831| 1 byte states : 767| 2 byte states : 59| 4 byte states : 5| Characters :
1776907| States : 957996| Transitions : 123569332| State Density : 50.4%| Patterns :
107743| Match States : 134735| Memory (MB) : 841.66| Patterns : 11.61| Match Lists : 53.36|
DFA| 1 byte states : 5.73| 2 byte states : 160.77| 4 byte states :
608.68+----------------------------------------------------------------[ Number of patterns truncated to 20 bytes:
17917 ]
--== Initialization Complete ==--
Any idea why the long wait between flowbit checking and snort startup? Also, what might be contributing to all the
flowbit warnings despite PulledPork going through the flowbit check?I'm using Snort v2.9.6.2 and PulledPork v0.7.0Many
thanks in advance.
Andre'
--
Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
------------------------------------------------------------------------------
Slashdot TV. Videos for Nerds. Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Slow snort startup, plus flowbit issues Andre DiMino (Oct 06)
- Re: Slow snort startup, plus flowbit issues Y M (Oct 06)
- Re: Slow snort startup, plus flowbit issues Bill Bernsen (Oct 06)
- Re: Slow snort startup, plus flowbit issues Joel Esler (jesler) (Oct 06)
- Re: Slow snort startup, plus flowbit issues Bill Bernsen (Oct 06)
- Re: Slow snort startup, plus flowbit issues waldo kitty (Oct 06)
- Re: Slow snort startup, plus flowbit issues Andre DiMino (Oct 06)
- Re: Slow snort startup, plus flowbit issues Y M (Oct 06)