[Snort-users] pcre high cpu usage

Tomas Heredia tomas.heredia at ...12297...
Mon Oct 18 18:57:40 EDT 2010


 El 18/10/2010 07:27 p.m., Joel Esler escribió:
> On Oct 18, 2010, at 5:51 PM, Tomas Heredia wrote:
>> Hi all!
>>
>> Lately, new rules applied to our sensor started to consume too much CPU
>> (not too much, but causing host load to go to 0.4 permanent). I folowed
>> the problem and found it was PCRE causing it. The problem is that this
>> is causing some TREMENDOUS delays in packets... from 50 to 1000 ms, in
>> some packets (doing a ping, 1 every 30 or so packets gets delayed).
>>
>> So, How do yo think "config pcre_match_limit 100" and "config
>> pcre_match_limit_recursion 100" would affect detection? (as false
>> negatives).
>>
>> Do you have any other sugestion (aside from not using pcre rules :-)) to
>> get beter PCRE performance?
> Are you running in inline mode, or IDS mode?  Are you dropping packets?
Excuse me :-)
Inline mode. Snort 2.8.6.0 (Ok, planning upgrade anyway). No packets get
droped. Just huge delays in some packets. Delay goes off if I put

config pcre_match_limit 25
onfigpcre_match_limit_recursion 25

But I don't think it's a good idea. Is it?

Thanks!





More information about the Snort-users mailing list