[Snort-users] pcre high cpu usage

Joel Esler jesler at ...1935...
Mon Oct 18 18:27:29 EDT 2010

On Oct 18, 2010, at 5:51 PM, Tomas Heredia wrote:
> Hi all!
> Lately, new rules applied to our sensor started to consume too much CPU
> (not too much, but causing host load to go to 0.4 permanent). I folowed
> the problem and found it was PCRE causing it. The problem is that this
> is causing some TREMENDOUS delays in packets... from 50 to 1000 ms, in
> some packets (doing a ping, 1 every 30 or so packets gets delayed).
> So, How do yo think "config pcre_match_limit 100" and "config
> pcre_match_limit_recursion 100" would affect detection? (as false
> negatives).
> Do you have any other sugestion (aside from not using pcre rules :-)) to
> get beter PCRE performance?

Are you running in inline mode, or IDS mode?  Are you dropping packets?

Joel Esler

More information about the Snort-users mailing list