<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    <br>
    <blockquote
      cite="mid:AANLkTikPnN+V0aOQ-yfojmSXnPJcBckQ_pwukBRKq-bT@...11828..."
      type="cite">
      <div class="gmail_quote">
        <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
          0.8ex; border-left: 1px solid rgb(204, 204, 204);
          padding-left: 1ex;">
          <div bgcolor="#ffffff" text="#000000">
            <div class="im">
              <blockquote type="cite">
                <div class="gmail_quote">
                  <blockquote class="gmail_quote" style="margin: 0pt 0pt
                    0pt 0.8ex; border-left: 1px solid rgb(204, 204,
                    204); padding-left: 1ex;">
                    <div bgcolor="#ffffff" text="#000000">BTW: most
                      offending rules (with like 10000 ticks avg!!) were
                      4676 and 4677, related to Oracle Enterprise
                      Manager. They had the destination restricted to
                      the only OEM in the net, but that was enough to
                      cause that delays... May be it's time to think in
                      PCRE ofloading! :-)<br>
                      Best regards,<br>
                      Tomás
                      <div><br>
                      </div>
                    </div>
                  </blockquote>
                  <div><br>
                  </div>
                  <div>What revisions of those rules are you running? We
                    had revs out briefly that were severely problematic,
                    and we updated them as soon as we realized. I want
                    to make sure the current versions of those two
                    aren't causing problems.</div>
                </div>
              </blockquote>
            </div>
            both rev 5, updated on oct 12<br>
            <br>
            Regards,<br>
            Tomás<br>
            <br>
          </div>
        </blockquote>
      </div>
      <br>
      In that case, I would suggest keeping them disabled, as that's the
      current rev. We'll see if we can tweak any further.<br clear="all">
    </blockquote>
    Already disabled... the delays sometimes got up to 1 sec., and that
    was quite a problem :-)<br>
    We've learned a new lesson: always keep an eye con perf profiling
    after applying updates :-)<br>
    <br>
    Best regards,<br>
    Tomás<br>
    <br>
    <blockquote
      cite="mid:AANLkTikPnN+V0aOQ-yfojmSXnPJcBckQ_pwukBRKq-bT@...11828..."
      type="cite"><br>
      -- <br>
      Alex Kirk<br>
      AEGIS Program Lead<br>
      Sourcefire Vulnerability Research Team<br>
      +1-410-423-1937<br>
      <a moz-do-not-send="true" href="mailto:alex.kirk@...1935...">alex.kirk@...1935...</a><br>
    </blockquote>
    <br>
  </body>
</html>