[Snort-sigs] Question about pcre syntax

Jason security at ...704...
Thu Feb 21 18:44:57 EST 2008


I would hazard a guess that NO it is not going to be a significant 
performance difference in this specific case.


Paul Schmehl wrote:
> Is this correct syntax for pcre?  Or will it not work at all?
> 
> prce:"/foo|bar|some|such|thing/";
> 
> The intent is to provide a bunch of ors that would match after a previous 
> positive content match.
> 
> Would it be more efficient (less resource intensive) to write a separate 
> rule for each match, even though the entire rule would be the same except 
> for the second content match?
> 
> Paul Schmehl (pauls at ...1311...)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list