[Snort-devel] Case sensitive fast pattern matches

Hui Cao (huica) huica at ...3461...
Wed Mar 5 14:12:04 EST 2014

Hi Mike,

Actually, the reasons we choose case insensitive as default are performance and memory. The state machine can make a single pass thru the state machine -- consider each of three patterns:

HTTP, http, Http

All of those would match via the state machine on a single pass and
are in fact stored as the same state transitions. At the same time, this will also save on memory.


From: Mike Cox <mike.cox52 at ...2499...<mailto:mike.cox52 at ...2499...>>
Date: Wednesday, March 5, 2014 at 10:02 AM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>, snort-sigs <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...3069...ists.sourceforge.net>>
Subject: [Snort-devel] Case sensitive fast pattern matches

Dear Snort Community,

I will keep this "short and sweet".  For many years I have appreciated the functionality of the Snort fast pattern matcher.  Yet I often wish (read: strongly desire) that it would be case-sensitive, or at the very least, have the capability to specify if a fast pattern match should be case sensitive or not.

A case sensitive match should be more efficient that one that is not and a lot of times, while I benefit from the overall performance enhancement from the fast pattern matcher, the engine has to re-evaluate the content match again because I need the match to be case sensitive so I can't set it as, "fast_pattern:only".  This is very frustrating (hence this email).


Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140305/60fb47af/attachment.html>

More information about the Snort-devel mailing list