[Snort-users] pcre high cpu usage
akirk at ...1935...
Tue Oct 19 10:08:28 EDT 2010
On Tue, Oct 19, 2010 at 10:00 AM, Tomas Heredia <tomas.heredia at ...12297...
> El 19/10/2010 10:50 a.m., Alex Kirk escribió:
> BTW: most offending rules (with like 10000 ticks avg!!) were 4676 and
>> 4677, related to Oracle Enterprise Manager. They had the destination
>> restricted to the only OEM in the net, but that was enough to cause that
>> delays... May be it's time to think in PCRE ofloading! :-)
>> Best regards,
> What revisions of those rules are you running? We had revs out briefly
> that were severely problematic, and we updated them as soon as we realized.
> I want to make sure the current versions of those two aren't causing
> both rev 5, updated on oct 12
In that case, I would suggest keeping them disabled, as that's the current
rev. We'll see if we can tweak any further.
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users