Re: pcre high cpu usage

[Tomas Heredia <tomas.heredia () activesec biz>]

> >         BTW: most offending rules (with like 10000 ticks avg!!) were
> >         4676 and 4677, related to Oracle Enterprise Manager. They had
> >         the destination restricted to the only OEM in the net, but
> >         that was enough to cause that delays... May be it's time to
> >         think in PCRE ofloading! :-)
> >         Best regards,
> >         Tomás
> >
> >
> >     What revisions of those rules are you running? We had revs out
> >     briefly that were severely problematic, and we updated them as
> >     soon as we realized. I want to make sure the current versions of
> >     those two aren't causing problems.
>     both rev 5, updated on oct 12
>
>     Regards,
>     Tomás
>
>
> In that case, I would suggest keeping them disabled, as that's the
> current rev. We'll see if we can tweak any further.
Already disabled... the delays sometimes got up to 1 sec., and that was
quite a problem :-)
We've learned a new lesson: always keep an eye con perf profiling after
applying updates :-)

Best regards,
Tomás

> -- 
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk () sourcefire com <mailto:alex.kirk () sourcefire com>

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users