[Snort-users] Snort 220.127.116.11 ignoring stream4
pmelson at ...11827...
Thu Apr 19 15:12:58 EDT 2007
> If I am not mistaken we got Paul on the path yesterday and all is well
now. I wil let him provide
> details if he feels it appropriate.
The culprit was a pair of old (circa 2.1) rules that had only a pcre:
pattern. These combined with changes made to Snort's pcre functionality
between 2.6.0 and 2.6.1 to cause the performance problem. Adding flow:
conditions to these rules fixed the problem.
If you're interested, I posted some more of the gory details on my blog:
More information about the Snort-users