[Snort-sigs] Overhead caused by PCRE?

marc norton marc.norton at ...435...
Mon Mar 7 11:33:30 EST 2005


If you only have a single content applied to say port 139 for instance, 
than all of the multi-pattern matchers would know to use boyer moore, 
since it is the fastest single content search technique available. 
Notice that I said single content.  Typcially a rule has one or more 
contents, so 3 rules could have 10 or more contents. A single rule could 
ahve 10 contents as well, theoretically, in which caes the multi-pattern 
search engine would match the multiple patterns against the data.



Edin Dizdarevic wrote:
> Brian schrieb:
> 
>> On Mon, Feb 28, 2005 at 05:22:43PM -0800, Jeff McCarthy wrote:
> 
> ...
> 
>> 1) single rule, single string match
>>
>>    In the single rule string match case, both PCRE & content use
>>    boyer-moore.  However, pcre has a small amount of additional
> 
> 
> Is this always the case? I thought the search method can be set be the
> config search-method: ac|mwm|lowmem directive - Aho-Corasick/Modified
> Wu-Manber/Boyer-Moore respectively?
> 
> Edin
> 
>>    function call overhead, giving content a slight win.  However, in
>>    most cases the additional overhead is negligible.
> 
> 
> ...
> 
>>
>> Brian
>>
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
Marc Norton   Snort Team Lead
410-423-1924  mnorton at ...435...
www.snort.org www.sourcefire.com




More information about the Snort-sigs mailing list