[Snort-devel] Full regular expressions

Giovanni Meneghetti gmeneghetti at ...414...
Fri May 25 08:47:23 EDT 2001


Some weeks ago I've posted a patch to enable full-regex in snort.
Now I'm having some time to port it to the current CVS tree, but before
starting this job I'd like to spend some words about the "speed"
question. It's clear that a full regex pattern match would make snort
slow, so I'm suggesting to fire full-regex pattern match in a 
"PostProcessing" time. This means full-regex rules can't stay alone, but
should be in the form:
content:"content.pattern.here";
full-regex:"more.restrictive.regex.pattern.here";
Now, when the regex pattern match is fired, it'd check if there were a
match in the previous "content", and then start the regex matching
process.

Do you think this solution could be acceptable ?
If yes, any hint about coding the "if there were a match in the previous
content" issue.


Bye
Giovanni




More information about the Snort-devel mailing list