Snort mailing list archives

Re: [Snort-sigs] Overhead caused by PCRE?

From: Brian <bmc () snort org>
Date: Wed, 2 Mar 2005 11:15:08 -0500

On Mon, Feb 28, 2005 at 05:22:43PM -0800, Jeff McCarthy wrote:

I have a question regarding using PCRE in Snort rules.  If I write
100 rules using content: and 100 using PCRE, will there be a
noticable difference in processing time or CPU utilization?


Yes & No.  I'll try to explain with the 4 different cases I come
across on a regular basis.

1) single rule, single string match

   In the single rule string match case, both PCRE & content use
   boyer-moore.  However, pcre has a small amount of additional
   function call overhead, giving content a slight win.  However, in
   most cases the additional overhead is negligible.

2) multiple single string match

   If all the rules are doing is a simple string match, pcre will win
   by a long shot if implemented as a single combined pcre statement.  
   
   While the multi-pattern match engine in Snort can be faster, the
   additional function call overhead of evaluating multiple rules
   makes pcre the clear winner.

   This implementation has the drawback of Snort only generating a
   single message for all of the patterns that make up the pcre.  This
   method should only be used when this drawback is acceptable.
   
   See virus.rules for an example for an example of a "optomized"
   combined pcre statement.
 
3) multiple rules, single string match and other detection plugins

   content wins here, same as in the single rule single content.
   Multiple pcre statements are slower than multiple contents.

4) multiple rules, complex pattern match

   If the string match is more complicated than what can be
   implemented with "strcmp", then pcre is the only way to go.
   content can't do complicated pattern matching, so pcre is the only
   method available.  As such pcre wins.

Brian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

No netmask specified for home network Peter Rodger (Feb 23)
- <Possible follow-ups>
- Re: No netmask specified for home network Sean Brown (Feb 23)
  - Overhead caused by PCRE? Jeff McCarthy (Feb 28)
    - Re: Overhead caused by PCRE? Matt Kettler (Mar 01)
    - Re: [Snort-sigs] Overhead caused by PCRE? Brian (Mar 02)
- RE: No netmask specified for home network Peter Rodger (Feb 25)