[Snort-users] Snort CPU consumptions

Balasubramaniam Natarajan bala150985 at ...11827...
Wed Jan 8 11:35:18 EST 2014


Let us consider a snort signature with a CPU expensive PCRE match as show

Would the PCRE consume a lot of CPU cycles if the entire traffic which this
snort saw is just port 80 to the HOME_NET ?

alert tcp any any -> $HOME_NET 888 (msg:"Most CPU expensive PCRE";
pcre:"/.+/i"; rev:1; sid:100001)

My answer would be no ?  Is there any other contradicting answer to the
same ?  My doubt is due to the fact that I saw a peculiar case where the
traffic was not on port 888 and still this sort of a rule managed to bubble
up the worst performers in pref-profiling.

Balasubramaniam Natarajan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140108/b100fe93/attachment.html>

More information about the Snort-users mailing list