Possible issues with SSl Preprocessor?

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

Hello.  I have what may be a issue with the SSL pre-processor
consuming processors cycles for encrypted traffic.  The Snort is
2.9.0.5.

In my snort.conf I have the following line:

preprocessor ssl: noinspect_encrypted

When I start snort I run this:

# snort -c /etc/snort/snort.conf -u pcap -D -k none --daq afpacket -b
-i eth0 "port 443"

Most of alls the traffic this should see is SSL and it should not be
inspected after the snort determines it is SSL due to the 4-way
handshake.
HOWEVER, this process is consuming 75-100% of my processor.   I
thought once the snort realized it was SSl (encrypted), it would not
enspect that stream anymore.  But then why so much processor usage?
Yes there is a lot of SSL traffic but just looking at 7 packets per
stream (maybe a few more depending on fragmentation, window size, and
PSH flags, etc.) does not seem logical to me to use so much of the
CPU.

Thank you for any insights.

-L0rd C.

------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel