Home page logo

snort logo Snort mailing list archives

Re: pcre high cpu usage
From: Tomas Heredia <tomas.heredia () activesec biz>
Date: Tue, 19 Oct 2010 11:12:15 -0300

        BTW: most offending rules (with like 10000 ticks avg!!) were
        4676 and 4677, related to Oracle Enterprise Manager. They had
        the destination restricted to the only OEM in the net, but
        that was enough to cause that delays... May be it's time to
        think in PCRE ofloading! :-)
        Best regards,

    What revisions of those rules are you running? We had revs out
    briefly that were severely problematic, and we updated them as
    soon as we realized. I want to make sure the current versions of
    those two aren't causing problems.
    both rev 5, updated on oct 12


In that case, I would suggest keeping them disabled, as that's the
current rev. We'll see if we can tweak any further.
Already disabled... the delays sometimes got up to 1 sec., and that was
quite a problem :-)
We've learned a new lesson: always keep an eye con perf profiling after
applying updates :-)

Best regards,

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk () sourcefire com <mailto:alex.kirk () sourcefire com>

Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]