[Snort-users] pcre high cpu usage

Tomas Heredia tomas.heredia at ...12297...
Mon Oct 18 17:51:47 EDT 2010

 Hi all!

Lately, new rules applied to our sensor started to consume too much CPU
(not too much, but causing host load to go to 0.4 permanent). I folowed
the problem and found it was PCRE causing it. The problem is that this
is causing some TREMENDOUS delays in packets... from 50 to 1000 ms, in
some packets (doing a ping, 1 every 30 or so packets gets delayed).

So, How do yo think "config pcre_match_limit 100" and "config
pcre_match_limit_recursion 100" would affect detection? (as false

Do you have any other sugestion (aside from not using pcre rules :-)) to
get beter PCRE performance?

Best Regards,


More information about the Snort-users mailing list