[Snort-users] pcre high cpu usage
tomas.heredia at ...12297...
Mon Oct 18 17:51:47 EDT 2010
Lately, new rules applied to our sensor started to consume too much CPU
(not too much, but causing host load to go to 0.4 permanent). I folowed
the problem and found it was PCRE causing it. The problem is that this
is causing some TREMENDOUS delays in packets... from 50 to 1000 ms, in
some packets (doing a ping, 1 every 30 or so packets gets delayed).
So, How do yo think "config pcre_match_limit 100" and "config
pcre_match_limit_recursion 100" would affect detection? (as false
Do you have any other sugestion (aside from not using pcre rules :-)) to
get beter PCRE performance?
More information about the Snort-users