[Snort-users] pcre high cpu usage

Alex Kirk akirk at ...1935...
Tue Oct 19 09:50:43 EDT 2010

> BTW: most offending rules (with like 10000 ticks avg!!) were 4676 and 4677,
> related to Oracle Enterprise Manager. They had the destination restricted to
> the only OEM in the net, but that was enough to cause that delays... May be
> it's time to think in PCRE ofloading! :-)
> Best regards,
> Tomás
What revisions of those rules are you running? We had revs out briefly that
were severely problematic, and we updated them as soon as we realized. I
want to make sure the current versions of those two aren't causing problems.

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101019/b965dd7a/attachment.html>

More information about the Snort-users mailing list