Snort mailing list archives
Re: PCRE
From: Brian <bmc () snort org>
Date: Fri, 19 Dec 2003 15:12:24 -0500
On Fri, Dec 19, 2003 at 02:19:54PM -0500, adam.w.hogan wrote:
Does using pcre in signatures tax the CPU? When is it proper and/or efficient to use pcre? I'm very familiar with perl regular expressions and it would be easier to write rules with pcre than content & distance, within, etc. Is there a downside to using pcre for this? I suppose I ask because it sounds like too much of a good thing. Between pcre and thresholding I think it will be a lot easier and far more efficient to write rules for Snort.
If you can get away with writing rules without pcre, do it. The slowdown isn't really by using pcre, but by not using content. Because of the multi-pattern matching fooo in the dection engine in 2.0 (and beyond), rules without content are MUCH slower than rules that are just PCRE. pcre rules should ALWAYS have at least ONE content keyword. Also, if you can get away with writing rules without PCRE, do it. normal pattern matching is still faster, it is just missing a few of the wizbang features that are needed to do some types of detection. -brian ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PCRE adam.w.hogan (Dec 19)
- Re: PCRE Brian (Dec 19)