Snort mailing list archives
Re: PCRE Performance
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 10 Oct 2011 12:17:21 -0400
On 10/10/2011 09:10, vincent () ragosta net wrote:
Hello all, I wish to create a Snort signature to match a particular URI sequence. But, the latter part of the URI can vary. I have been told by others that the use of PCRE in Snort rules should be avoided at all costs due to the performance penalties of its use. Is this true? If so, is it possible to logically "OR" the content keyword to look for 1 of many possible, valid, URI sequences?
why is a PCRE needed? you cannot use just the non-changing portion of the URL? maybe i'm misunderstanding and it is not the whole "first part" that is the same? ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PCRE Performance vincent (Oct 10)
- Re: PCRE Performance waldo kitty (Oct 10)
- Re: PCRE Performance Jamie Riden (Oct 10)
- Re: PCRE Performance vincent (Oct 10)
- Re: PCRE Performance Jason Wallace (Oct 10)
- Re: PCRE Performance vincent (Oct 10)
- Re: PCRE Performance vincent (Oct 10)