Snort mailing list archives
Re: pcre high cpu usage
From: Tomas Heredia <tomas.heredia () activesec biz>
Date: Tue, 19 Oct 2010 10:49:05 -0300
El 18/10/2010 08:13 p.m., Alex Kirk escribió:
config pcre_match_limit 25 onfigpcre_match_limit_recursion 25 But I don't think it's a good idea. Is it? No, that's a terrible idea. You might as well just disable all the rules that use PCRE if you set a limit that low.
I'va already been thinking about that :-)
Chances are high, based on the collective experience of the group, that you've got a small number of rules hogging a large amount of processing power, and if you can identify them and either tune or disable them, you'll be in way better shape. To ID them, you'll want to enable: config profile_rules: print 50, sort avg_ticks This will print the top 50 worst offending rules, in order of the average number of CPU "ticks" it takes to run them, on exit. See the README.PerfProfiling file and the list archives for more information if you need it.
Thanks! I was olready analyzing performance profiling, but looking at total ticks bu rule (and preproc). That made me lower the overall CPU usage... But avg-ticks was what I needed to identify delays. Thanks Again! BTW: most offending rules (with like 10000 ticks avg!!) were 4676 and 4677, related to Oracle Enterprise Manager. They had the destination restricted to the only OEM in the net, but that was enough to cause that delays... May be it's time to think in PCRE ofloading! :-) Best regards, Tomás
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com <mailto:alex.kirk () sourcefire com>
------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pcre high cpu usage Tomas Heredia (Oct 18)
- Re: pcre high cpu usage Joel Esler (Oct 18)
- Re: pcre high cpu usage Tomas Heredia (Oct 18)
- Re: pcre high cpu usage Alex Kirk (Oct 18)
- Re: pcre high cpu usage Tomas Heredia (Oct 19)
- Re: pcre high cpu usage Alex Kirk (Oct 19)
- Re: pcre high cpu usage Tomas Heredia (Oct 19)
- Re: pcre high cpu usage Alex Kirk (Oct 19)
- Re: pcre high cpu usage Tomas Heredia (Oct 19)
- Re: pcre high cpu usage Tomas Heredia (Oct 18)
- Re: pcre high cpu usage Joel Esler (Oct 18)