[Snort-users] pcre high cpu usage

Alex Kirk akirk at ...1935...
Tue Oct 19 10:08:28 EDT 2010


On Tue, Oct 19, 2010 at 10:00 AM, Tomas Heredia <tomas.heredia at ...12297...
> wrote:

>  El 19/10/2010 10:50 a.m., Alex Kirk escribió:
>
>  BTW: most offending rules (with like 10000 ticks avg!!) were 4676 and
>> 4677, related to Oracle Enterprise Manager. They had the destination
>> restricted to the only OEM in the net, but that was enough to cause that
>> delays... May be it's time to think in PCRE ofloading! :-)
>> Best regards,
>> Tomás
>>
>>
>  What revisions of those rules are you running? We had revs out briefly
> that were severely problematic, and we updated them as soon as we realized.
> I want to make sure the current versions of those two aren't causing
> problems.
>
> both rev 5, updated on oct 12
>
> Regards,
> Tomás
>
>
In that case, I would suggest keeping them disabled, as that's the current
rev. We'll see if we can tweak any further.

-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101019/b0911e77/attachment.html>


More information about the Snort-users mailing list