Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zeek regular expression consumes a lot of memory #450

shuaidonga opened this issue Jul 2, 2019 · 2 comments


None yet
4 participants
Copy link

commented Jul 2, 2019

After writing a zeek regex that matches the phone number, the zeek work consumes a huge increase in memory.
The following is my matching regular expression script
The above processing will consume a lot of memory, is there any good solution?


This comment has been minimized.

Copy link

commented Jul 2, 2019

Sorry about the high memory use. If the pattern matching is really what is so expensive, some quick thoughts:

  1. I'd imagine that the event http_message_done is happening with some frequency. Even if the pattern matching is fairly low cost, that cost could add up if you're doing it every time a http message finishes. Maybe there is a way you could narrow that down?

  2. In assert_num11_not_contain_num12 could you just match against /[0-9]{11}([^0-9]|$)/? My regex is a little rusty, but the idea there is to match against 11 numbers and then something else or the end of the text. That way you don't have to check for an 11 digit number and then a 12 digit one. You could also try and just add a check like that to the end of your mobile_regex and then match that against the response body.

@jsiwek jsiwek added the Area: Regex label Jul 9, 2019


This comment has been minimized.

Copy link

commented Jul 10, 2019

Can you attach those files as text instead of images?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.