[Snort-users] Snort CPU consumptions
bala150985 at ...11827...
Wed Jan 8 11:35:18 EST 2014
Let us consider a snort signature with a CPU expensive PCRE match as show
Would the PCRE consume a lot of CPU cycles if the entire traffic which this
snort saw is just port 80 to the HOME_NET ?
alert tcp any any -> $HOME_NET 888 (msg:"Most CPU expensive PCRE";
pcre:"/.+/i"; rev:1; sid:100001)
My answer would be no ? Is there any other contradicting answer to the
same ? My doubt is due to the fact that I saw a peculiar case where the
traffic was not on port 888 and still this sort of a rule managed to bubble
up the worst performers in pref-profiling.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users