[Snort-devel] Full regular expressions - slow or fast ?

Giovanni Meneghetti gmeneghetti at ...414...
Mon May 28 03:45:34 EDT 2001


I'm not thinking about "full-regex" as a function that could replace any of
the existing functions like "content" etc.
My target is to add a feature which may help to reduce false alerts. I'd code
"full-regex" to put them after a conventional "content". Thus we should
continue using the "content" function, and, in the same rule, we may append a
"full-regex" to refine if it's been actually an attack.
 In this scenario (thanks to Fyodor who showed me the point) snort'd fire a
"full-regex" search only for those packets which "content" made an alert to be
fired. Performances would'nt be affected at all, becouse if your snort fires,
let's say, 1000 alerts every day, "full-reged" computation would be fired 1000
unique times in a day, which, computionally, is almost subtle.
 If there's some wrong assumption, please, let me know any issue.

Bye
Giovanni


Martin Roesch wrote:

> I'd like to see it.  If people want Snort to run extremely slowly, we'll
> give them that option.  I'd leave it turned off in the default
> snort.conf, maybe we could start working on a post-process.conf or
> something for turning on stuff that we wouldn't normally want to touch
> at run time?
>
>     -Marty
>





More information about the Snort-devel mailing list