[Snort-sigs] Overhead caused by PCRE?

Edin Dizdarevic snort at ...3014...
Thu Mar 3 00:22:51 EST 2005


Brian schrieb:
> On Mon, Feb 28, 2005 at 05:22:43PM -0800, Jeff McCarthy wrote:
...
> 1) single rule, single string match
> 
>    In the single rule string match case, both PCRE & content use
>    boyer-moore.  However, pcre has a small amount of additional

Is this always the case? I thought the search method can be set be the
config search-method: ac|mwm|lowmem directive - Aho-Corasick/Modified
Wu-Manber/Boyer-Moore respectively?

Edin

>    function call overhead, giving content a slight win.  However, in
>    most cases the additional overhead is negligible.

...
> 
> Brian
> 




More information about the Snort-sigs mailing list