[Snort-users] pcre high cpu usage

Tomas Heredia tomas.heredia at ...12297...
Tue Oct 19 10:12:15 EDT 2010


>
>>         BTW: most offending rules (with like 10000 ticks avg!!) were
>>         4676 and 4677, related to Oracle Enterprise Manager. They had
>>         the destination restricted to the only OEM in the net, but
>>         that was enough to cause that delays... May be it's time to
>>         think in PCRE ofloading! :-)
>>         Best regards,
>>         Tomás
>>
>>
>>     What revisions of those rules are you running? We had revs out
>>     briefly that were severely problematic, and we updated them as
>>     soon as we realized. I want to make sure the current versions of
>>     those two aren't causing problems.
>     both rev 5, updated on oct 12
>
>     Regards,
>     Tomás
>
>
> In that case, I would suggest keeping them disabled, as that's the
> current rev. We'll see if we can tweak any further.
Already disabled... the delays sometimes got up to 1 sec., and that was
quite a problem :-)
We've learned a new lesson: always keep an eye con perf profiling after
applying updates :-)

Best regards,
Tomás

>
> -- 
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...1935... <mailto:alex.kirk at ...1935...>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101019/70d87e23/attachment.html>


More information about the Snort-users mailing list