Re: pcre high cpu usage

[Tomas Heredia <tomas.heredia () activesec biz>]

 El 18/10/2010 07:27 p.m., Joel Esler escribió:
> On Oct 18, 2010, at 5:51 PM, Tomas Heredia wrote:
> > Hi all!
> >
> > Lately, new rules applied to our sensor started to consume too much CPU
> > (not too much, but causing host load to go to 0.4 permanent). I folowed
> > the problem and found it was PCRE causing it. The problem is that this
> > is causing some TREMENDOUS delays in packets... from 50 to 1000 ms, in
> > some packets (doing a ping, 1 every 30 or so packets gets delayed).
> >
> > So, How do yo think "config pcre_match_limit 100" and "config
> > pcre_match_limit_recursion 100" would affect detection? (as false
> > negatives).
> >
> > Do you have any other sugestion (aside from not using pcre rules :-)) to
> > get beter PCRE performance?
> Are you running in inline mode, or IDS mode?  Are you dropping packets?
Excuse me :-)
Inline mode. Snort 2.8.6.0 (Ok, planning upgrade anyway). No packets get
droped. Just huge delays in some packets. Delay goes off if I put

config pcre_match_limit 25
onfigpcre_match_limit_recursion 25

But I don't think it's a good idea. Is it?

Thanks!


------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users