[Snort-users] pcre high cpu usage

Tomas Heredia tomas.heredia at ...12297...
Mon Oct 18 17:51:47 EDT 2010


 Hi all!

Lately, new rules applied to our sensor started to consume too much CPU
(not too much, but causing host load to go to 0.4 permanent). I folowed
the problem and found it was PCRE causing it. The problem is that this
is causing some TREMENDOUS delays in packets... from 50 to 1000 ms, in
some packets (doing a ping, 1 every 30 or so packets gets delayed).

So, How do yo think "config pcre_match_limit 100" and "config
pcre_match_limit_recursion 100" would affect detection? (as false
negatives).

Do you have any other sugestion (aside from not using pcre rules :-)) to
get beter PCRE performance?

Best Regards,
Tomás

   




More information about the Snort-users mailing list