Home page logo
/

snort logo Snort mailing list archives

Re: pcre high cpu usage
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 19 Oct 2010 10:08:28 -0400

On Tue, Oct 19, 2010 at 10:00 AM, Tomas Heredia <tomas.heredia () activesec biz
wrote:

 El 19/10/2010 10:50 a.m., Alex Kirk escribió:

 BTW: most offending rules (with like 10000 ticks avg!!) were 4676 and
4677, related to Oracle Enterprise Manager. They had the destination
restricted to the only OEM in the net, but that was enough to cause that
delays... May be it's time to think in PCRE ofloading! :-)
Best regards,
Tomás


 What revisions of those rules are you running? We had revs out briefly
that were severely problematic, and we updated them as soon as we realized.
I want to make sure the current versions of those two aren't causing
problems.

both rev 5, updated on oct 12

Regards,
Tomás


In that case, I would suggest keeping them disabled, as that's the current
rev. We'll see if we can tweak any further.

-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault