[Snort-users] pcre high cpu usage
tomas.heredia at ...12297...
Tue Oct 19 10:12:15 EDT 2010
>> BTW: most offending rules (with like 10000 ticks avg!!) were
>> 4676 and 4677, related to Oracle Enterprise Manager. They had
>> the destination restricted to the only OEM in the net, but
>> that was enough to cause that delays... May be it's time to
>> think in PCRE ofloading! :-)
>> Best regards,
>> What revisions of those rules are you running? We had revs out
>> briefly that were severely problematic, and we updated them as
>> soon as we realized. I want to make sure the current versions of
>> those two aren't causing problems.
> both rev 5, updated on oct 12
> In that case, I would suggest keeping them disabled, as that's the
> current rev. We'll see if we can tweak any further.
Already disabled... the delays sometimes got up to 1 sec., and that was
quite a problem :-)
We've learned a new lesson: always keep an eye con perf profiling after
applying updates :-)
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> alex.kirk at ...1935... <mailto:alex.kirk at ...1935...>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users