Re: PCRE

[Brian <bmc () snort org>]

On Fri, Dec 19, 2003 at 02:19:54PM -0500, adam.w.hogan wrote:
> Does using pcre in signatures tax the CPU?  When is it proper and/or
> efficient to use pcre?  I'm very familiar with perl regular
> expressions and it would be easier to write rules with pcre than
> content & distance, within, etc.  Is there a downside to using pcre
> for this? 
>
> I suppose I ask because it sounds like too much of a good thing.
> Between pcre and thresholding I think it will be a lot easier and
> far more efficient to write rules for Snort.

If you can get away with writing rules without pcre, do it.  The
slowdown isn't really by using pcre, but by not using content.
Because of the multi-pattern matching fooo in the dection engine in
2.0 (and beyond), rules without content are MUCH slower than rules
that are just PCRE.

pcre rules should ALWAYS have at least ONE content keyword.  Also, if
you can get away with writing rules without PCRE, do it.  normal
pattern matching is still faster, it is just missing a few of the
wizbang features that are needed to do some types of detection.

-brian


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users