[Snort-sigs] Overhead caused by PCRE?

Edin Dizdarevic snort at ...3014...
Thu Mar 3 00:22:51 EST 2005

Brian schrieb:
> On Mon, Feb 28, 2005 at 05:22:43PM -0800, Jeff McCarthy wrote:
> 1) single rule, single string match
>    In the single rule string match case, both PCRE & content use
>    boyer-moore.  However, pcre has a small amount of additional

Is this always the case? I thought the search method can be set be the
config search-method: ac|mwm|lowmem directive - Aho-Corasick/Modified
Wu-Manber/Boyer-Moore respectively?


>    function call overhead, giving content a slight win.  However, in
>    most cases the additional overhead is negligible.

> Brian

More information about the Snort-sigs mailing list