On Wed, 3 Nov 2021, Bill Cole wrote:
The most common reason for SA to hit its internal timeout is the combination of a rule with a pattern that can generate a large number of backtracks while scanning (exponential or factorial order) and a message which causes such backtracking. Typically that's caused by a '*' or '+' in a pattern where a fixed range for the number of repeats should be used instead.
...or a non-greedy match if you're running a newer Perl.
If you have any unbounded wildcards in your local rules, tightening those rules up should be your first step. If you can't find and fix the problematic rule by eye, you can get clues about it by scanning a problematic message with the "-D all" option to get a detailed rundown of what SA does in scanning a message. That will show you what rules are checked successfully. You can find a problematic rule by comparing that debug output from a bad message to that of a message which doesn't hang SA.
There's also the HitFreqsRuleTiming plugin if you're running in a dev environment and can let it scan for a potentially long time (until completion).
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r ----------------------------------------------------------------------- 4 days until Daylight Saving Time ends in U.S. - Fall Back Getting an extra hour of 2021 is like getting a free track on a Yoko Ono album.
