[Snort-sigs] Re: pcre (was:To build a logical AND expression)

Martin Olsson elof at ...1288...
Mon Dec 15 08:06:01 EST 2003


On Mon, 15 Dec 2003, Brian wrote:
> > I don't know how snort handle the doe_pointer when content searches
> > DON'T match. If it is unmodified, I guess you could just add another
> > inverted content search in order to create a logical AND...
> > msg:"SMTP HELO overflow attempt"; flow:to_server,established;
> > content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500;
> > content:!"|0d|"; within:500;
>
> IIRC, it should.  However, you might just want to update to CURRENT
> (soon to be 2.1) and use pcre.

Yes, pcre will probably solve a lot of issues nicely.
I'm just wondering what the performance impact will be... I fear that the
pcre engine will punish snort CPU and memory performance.

The human nature is to be lazy and do things the easy way, so I'm afraid
that people will create simple pcre-rules for everything instead of
handcrafting an optimized rule that use as little recourses as possible.

I hope that I'm wrong.

/Martin





More information about the Snort-sigs mailing list