[Snort-devel] Full Regex. To use it or not to use it - The patch

Meneghetti Giovanni gmeneghetti at ...414...
Thu May 10 05:36:08 EDT 2001


Hi,
here's the diff to make snort handle regular expressions.
I used the regex library written by Henry Spencer.
To compile, you need the libregex. I haven't included it
in this post. For your convenience, I'll made it avaiable
for download from http://ca.popvi.it/regex.tgz
It's mandatory to link the libregex.a at compile time.
I don't know why, but if I don't add the "-lregex", my compiler
doesn't complain at compile time, and snort gives a core at runtime.

I'm working on Linux 2.4.0, gcc 2.95.3.
This work is still beta, but before continuing,
I'd like to have feedback from snort's dev team, becouse
I had to modify the mSearch prototypes, so I hope I did'nt
hurt anyone :)
Patches are against snort-1.7 .
If full regex will be accepted by snort community, I'll port to
current snort-cvs.

To compile:
SNORTDIR=</path/to/your/snort>
cd $SNORTDIR
#download  http://ca.popvi.it/regex.tgz
tar -zxvf regex.tgz  #§Files will be extracted in a dir named regex.
cd regex
make lib
## If you want to play with regular expressions:
#make
#man ./regex.7
#./re -h
cd ..
+ Applay diff I'm posting.
+ In makefile:
  Add "-L./regex" to LDFLAGS
  Add "-lregex" to LIBS



> How does this stack up against snort's existing regex support ?
Snort existing regex deals with basic regex keys, like '?' '*' '\'.
Instead, library libregex is more complete and handles
"POSIX 1003.2 regular expressions".
These two regex support are different. And, IMHO, they will remain
separate.
To use the "existing regex", a rule have to call the "regex" key, like
this:
alert tcp any any -> any any (msg:"Test Existing Regex";flags: A+;
content:"a?c"; regex; reference:arachnids,373;)
BTW: Is existing regex stable or beta ? I haven't seen rules using it.
To use the "full modern regex", a rule will call the "full-regex" key,
like :
alert tcp any any -> any any (msg:"Test Full Regex";flags: A+;
content:".nsf/[^[:alpha:]]"; full-regex; reference:arachnids,373;)


> What about performance, old way pattern match Vs Regular Expression?
> A full regexp engine would make Snort deadly slow.
Short answer:
 Bad. Slow.
Long answer:
 Using RE, if a pattern isn't long, performance are quite good, but more
complex
patterns are, more CPU and/or memory will be required.


More information about the Snort-devel mailing list