Snort mailing list archives

Re: Case sensitive fast pattern matches

From: "Hui Cao (huica)" <huica () cisco com>
Date: Wed, 5 Mar 2014 19:12:04 +0000

Hi Mike,

Actually, the reasons we choose case insensitive as default are performance and memory. The state machine can make a 
single pass thru the state machine -- consider each of three patterns:

HTTP, http, Http

All of those would match via the state machine on a single pass and
are in fact stored as the same state transitions. At the same time, this will also save on memory.

Best,
Hui.

From: Mike Cox <mike.cox52 () gmail com<mailto:mike.cox52 () gmail com>>
Date: Wednesday, March 5, 2014 at 10:02 AM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>, snort-sigs <snort-sigs () lists sourceforge 
net<mailto:snort-sigs () lists sourceforge net>>
Subject: [Snort-devel] Case sensitive fast pattern matches

Dear Snort Community,

I will keep this "short and sweet".  For many years I have appreciated the functionality of the Snort fast pattern 
matcher.  Yet I often wish (read: strongly desire) that it would be case-sensitive, or at the very least, have the 
capability to specify if a fast pattern match should be case sensitive or not.

A case sensitive match should be more efficient that one that is not and a lot of times, while I benefit from the 
overall performance enhancement from the fast pattern matcher, the engine has to re-evaluate the content match again 
because I need the match to be case sensitive so I can't set it as, "fast_pattern:only".  This is very frustrating 
(hence this email).

Thanks!

Mike Cox

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Case sensitive fast pattern matches Mike Cox (Mar 05)
- Re: Case sensitive fast pattern matches Hui Cao (huica) (Mar 05)
- Re: Case sensitive fast pattern matches waldo kitty (Mar 05)
  - Re: Case sensitive fast pattern matches lists (Mar 05)