Hi Martin,<br><br>I am not sure why would it take 28 min to start Suricata if you use all the default config and options.<br>Could you please elaborate a bit more on you set-up? /Sur ver/platform/HW../<br><br>Please find below my output which uses about 3 times bigger rule set and it loads for about 4 min:<br>
""<br>[2034] 18/9/2011 -- 17:05:07 - (detect.c:2440) <Info> (SigAddressPrepareStage1) -- 29875 signatures processed. 1285 are IP-only rules, 19921 are inspecting packet payload, 8883 inspect application layer, 72 are decoder/engine/stream event only<br>
[2034] 18/9/2011 -- 17:05:07 - (detect.c:2443) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete<br>[2034] 18/9/2011 -- 17:05:36 - (detect.c:3085) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete<br>
[2034] 18/9/2011 -- 17:07:20 - (detect.c:3642) <Info> (SigAddressPrepareStage3) -- MPM memory 2119838502 (dynamic 2119838502, ctxs 0, avg per ctx 0)<br>[2034] 18/9/2011 -- 17:07:20 - (detect.c:3644) <Info> (SigAddressPrepareStage3) -- max sig id 29876, array size 3735<br>
[2034] 18/9/2011 -- 17:07:20 - (detect.c:3655) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete<br>[2034] 18/9/2011 -- 17:07:46 - (util-threshold-config.c:135) <Warning> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "threshold.config": No such file or directory<br>
[2034] 18/9/2011 -- 17:07:46 - (alert-fastlog.c:366) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log<br>[2034] 18/9/2011 -- 17:07:46 - (alert-unified2-alert.c:897) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename unified2.alert, limit 32 MB<br>
[2034] 18/9/2011 -- 17:07:46 - (runmodes.c:342) <Warning> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named alert-prelude, ignoring<br>[2034] 18/9/2011 -- 17:07:46 - (log-droplog.c:181) <Info> (LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log<br>
[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:356) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144<br>[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:368) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768<br>
[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:378) <Info> (StreamTcpInitConfig) -- stream "memcap": 567554432<br>[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:385) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: enabled<br>
[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:393) <Info> (StreamTcpInitConfig) -- stream "async_oneside": enabled<br>[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:409) <Info> (StreamTcpInitConfig) -- stream "checksum_validation": disabled<br>
[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:420) <Info> (StreamTcpInitConfig) -- stream."inline": enabled<br>[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:429) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864<br>
[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:439) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576<br>[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:462) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560<br>
[2034] 18/9/2011 -- 17:07:46 - (stream-tcp.c:464) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560<br>[2044] 18/9/2011 -- 17:07:46 - (source-pcap.c:379) <Info> (ReceivePcapThreadInit) -- using interface eth0<br>
[2034] 18/9/2011 -- 17:07:47 - (tm-threads.c:1693) <Info> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 3 management threads initialized, engine started.<br>^C[2034] 18/9/2011 -- 17:08:21 - (suricata.c:1497) <Info> (main) -- signal received<br>
[2034] 18/9/2011 -- 17:08:21 - (suricata.c:1506) <Info> (main) -- EngineStop received<br>[2044] 18/9/2011 -- 17:08:21 - (source-pcap.c:551) <Info> (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 73, bytes 24531<br>
[2044] 18/9/2011 -- 17:08:21 - (source-pcap.c:562) <Info> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:75 Recv:75 Drop:0 (0.0%).<br>[2034] 18/9/2011 -- 17:08:21 - (suricata.c:1541) <Info> (main) -- all packets processed by threads, stopping engine<br>
[2034] 18/9/2011 -- 17:08:21 - (suricata.c:1548) <Info> (main) -- time elapsed 35s<br>[2045] 18/9/2011 -- 17:08:21 - (stream-tcp.c:3849) <Info> (StreamTcpExitPrintStats) -- (Decode & Stream) Packets 53<br>
[2048] 18/9/2011 -- 17:08:21 - (alert-fastlog.c:331) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 13<br>[2048] 18/9/2011 -- 17:08:21 - (alert-unified2-alert.c:821) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 13 alerts<br>
[2048] 18/9/2011 -- 17:08:21 - (log-httplog.c:404) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 2<br>[2048] 18/9/2011 -- 17:08:21 - (alert-debuglog.c:451) <Info> (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 13<br>
[2048] 18/9/2011 -- 17:08:21 - (log-droplog.c:388) <Info> (LogDropLogExitPrintStats) -- (Outputs) Dropped Packets 0<br>[2049] 18/9/2011 -- 17:08:21 - (flow.c:1148) <Info> (FlowManagerThread) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state<br>
[2034] 18/9/2011 -- 17:08:21 - (stream-tcp-reassemble.c:355) <Info> (StreamTcpReassembleFree) -- Max memuse of the stream reassembly engine 11220864 (in use 0)<br>[2034] 18/9/2011 -- 17:08:21 - (stream-tcp.c:509) <Info> (StreamTcpFreeConfig) -- Max memuse of stream engine 4587520 (in use 0)<br>
[2034] 18/9/2011 -- 17:08:21 - (detect.c:3682) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete<br><br>real 4m18.090s<br>user 3m3.455s<br>sys 0m21.833s<br>root@ubuntu32:~# <br>
<br>""<br><br>Thanks<br><br><br><div class="gmail_quote">On Sun, Sep 18, 2011 at 8:06 PM, Martin Holste <span dir="ltr"><<a href="mailto:mcholste@gmail.com">mcholste@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I'm seeing load times of greater than a half hour with a standard<br>
setup, using default config values:<br>
<br>
[25718] 18/9/2011 -- 11:25:53 - (detect.c:2440) <Info><br>
(SigAddressPrepareStage1) -- 9301 signatures processed. 2013 are<br>
IP-only rules, 2796 are inspecting packet payload, 2739 inspect<br>
application layer, 0 are decoder/engine/stream event only<br>
[25718] 18/9/2011 -- 11:25:53 - (detect.c:2443) <Info><br>
(SigAddressPrepareStage1) -- building signature grouping structure,<br>
stage 1: adding signatures to signature source addresses... complete<br>
[25718] 18/9/2011 -- 11:31:53 - (detect.c:3085) <Info><br>
(SigAddressPrepareStage2) -- building signature grouping structure,<br>
stage 2: building source address list... complete<br>
[25718] 18/9/2011 -- 11:59:07 - (detect.c:3642) <Info><br>
(SigAddressPrepareStage3) -- MPM memory 330428951 (dynamic 330428951,<br>
ctxs 0, avg per ctx 0)<br>
[25718] 18/9/2011 -- 11:59:07 - (detect.c:3644) <Info><br>
(SigAddressPrepareStage3) -- max sig id 9301, array size 1163<br>
[25718] 18/9/2011 -- 11:59:07 - (detect.c:3655) <Info><br>
(SigAddressPrepareStage3) -- building signature grouping structure,<br>
stage 3: building destination address lists... complete<br>
<br>
I think 6 minutes is a pretty long time to compile signatures (stage<br>
1), but I've seen that before. Why does it take 28 minutes to build a<br>
source address list? I'm using the standard ET ruleset.<br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>