[Snort-devel] Full regular expressions

Martin Roesch roesch at ...402...
Mon May 28 01:38:39 EDT 2001


I'd like to see it.  If people want Snort to run extremely slowly, we'll
give them that option.  I'd leave it turned off in the default
snort.conf, maybe we could start working on a post-process.conf or
something for turning on stuff that we wouldn't normally want to touch
at run time?

    -Marty

Giovanni Meneghetti wrote:
> 
> Some weeks ago I've posted a patch to enable full-regex in snort.
> Now I'm having some time to port it to the current CVS tree, but before
> starting this job I'd like to spend some words about the "speed"
> question. It's clear that a full regex pattern match would make snort
> slow, so I'm suggesting to fire full-regex pattern match in a
> "PostProcessing" time. This means full-regex rules can't stay alone, but
> should be in the form:
> content:"content.pattern.here";
> full-regex:"more.restrictive.regex.pattern.here";
> Now, when the regex pattern match is fired, it'd check if there were a
> match in the previous "content", and then start the regex matching
> process.
> 
> Do you think this solution could be acceptable ?
> If yes, any hint about coding the "if there were a match in the previous
> content" issue.
> 
> Bye
> Giovanni
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list