Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCRE Performance

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 10 Oct 2011 12:17:21 -0400
On 10/10/2011 09:10, vincent () ragosta net wrote:

Hello all,

I wish to create a Snort signature to match a particular URI sequence. But, the
latter part of the URI can vary. I have been told by others that the use of PCRE
in Snort rules should be avoided at all costs due to the performance penalties
of its use.​ Is this true? If so, is it possible to logically "OR" the content
keyword to look for 1 of many possible, valid, URI sequences?


why is a PCRE needed? you cannot use just the non-changing portion of the URL? 
maybe i'm misunderstanding and it is not the whole "first part" that is the same?

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: