Home page logo

snort logo Snort mailing list archives

Re: pcre high cpu usage
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 19 Oct 2010 10:08:28 -0400

On Tue, Oct 19, 2010 at 10:00 AM, Tomas Heredia <tomas.heredia () activesec biz

 El 19/10/2010 10:50 a.m., Alex Kirk escribió:

 BTW: most offending rules (with like 10000 ticks avg!!) were 4676 and
4677, related to Oracle Enterprise Manager. They had the destination
restricted to the only OEM in the net, but that was enough to cause that
delays... May be it's time to think in PCRE ofloading! :-)
Best regards,

 What revisions of those rules are you running? We had revs out briefly
that were severely problematic, and we updated them as soon as we realized.
I want to make sure the current versions of those two aren't causing

both rev 5, updated on oct 12


In that case, I would suggest keeping them disabled, as that's the current
rev. We'll see if we can tweak any further.

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk () sourcefire com
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]