[Snort-sigs] Overhead caused by PCRE?
marc.norton at ...435...
Mon Mar 7 11:33:30 EST 2005
If you only have a single content applied to say port 139 for instance,
than all of the multi-pattern matchers would know to use boyer moore,
since it is the fastest single content search technique available.
Notice that I said single content. Typcially a rule has one or more
contents, so 3 rules could have 10 or more contents. A single rule could
ahve 10 contents as well, theoretically, in which caes the multi-pattern
search engine would match the multiple patterns against the data.
Edin Dizdarevic wrote:
> Brian schrieb:
>> On Mon, Feb 28, 2005 at 05:22:43PM -0800, Jeff McCarthy wrote:
>> 1) single rule, single string match
>> In the single rule string match case, both PCRE & content use
>> boyer-moore. However, pcre has a small amount of additional
> Is this always the case? I thought the search method can be set be the
> config search-method: ac|mwm|lowmem directive - Aho-Corasick/Modified
> Wu-Manber/Boyer-Moore respectively?
>> function call overhead, giving content a slight win. However, in
>> most cases the additional overhead is negligible.
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
Marc Norton Snort Team Lead
410-423-1924 mnorton at ...435...
More information about the Snort-sigs