[Snort-sigs] PCRE Performance

vincent at ...3611... vincent at ...3611...
Mon Oct 10 09:10:45 EDT 2011


Hello all,

I wish to create a Snort signature to match a particular URI sequence.  But, the latter part of the URI can vary.  I have been told by others that the use of PCRE in Snort rules should be avoided at all costs due to the performance penalties of its use.​  Is this true?  If so, is it possible to logically "OR" the content keyword to look for 1 of many possible, valid, URI sequences?

Thanks!

Vincent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111010/25f5944c/attachment.html>


More information about the Snort-sigs mailing list