pcre high cpu usage

[Tomas Heredia <tomas.heredia () activesec biz>]

 Hi all!

Lately, new rules applied to our sensor started to consume too much CPU
(not too much, but causing host load to go to 0.4 permanent). I folowed
the problem and found it was PCRE causing it. The problem is that this
is causing some TREMENDOUS delays in packets... from 50 to 1000 ms, in
some packets (doing a ping, 1 every 30 or so packets gets delayed).

So, How do yo think "config pcre_match_limit 100" and "config
pcre_match_limit_recursion 100" would affect detection? (as false
negatives).

Do you have any other sugestion (aside from not using pcre rules :-)) to
get beter PCRE performance?

Best Regards,
Tomás

   

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users