Snort mailing list archives

Re: PCRE Performance

From: Jamie Riden <jamie.riden () gmail com>
Date: Mon, 10 Oct 2011 17:19:49 +0100

If it was avoid at *all* costs, they wouldn't have implemented it :)

Advice in the snort manual is to have your first match not be a PCRE
though - more optimisation details available in the snort docs.

What are you trying to match anyway?

cheers,
 Jamie

On 10 October 2011 14:10,  <vincent () ragosta net> wrote:

Hello all,

I wish to create a Snort signature to match a particular URI sequence.  But,
the latter part of the URI can vary.  I have been told by others that the
use of PCRE in Snort rules should be avoided at all costs due to the
performance penalties of its use.  Is this true?  If so, is it possible to
logically "OR" the content keyword to look for 1 of many possible, valid,
URI sequences?

Thanks!

Vincent

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

PCRE Performance vincent (Oct 10)
- Re: PCRE Performance waldo kitty (Oct 10)
- Re: PCRE Performance Jamie Riden (Oct 10)
  - Re: PCRE Performance vincent (Oct 10)
    - Re: PCRE Performance Jason Wallace (Oct 10)
    - Re: PCRE Performance vincent (Oct 10)