[Snort-sigs] PCRE Performance

waldo kitty wkitty42 at ...3507...
Mon Oct 10 12:17:21 EDT 2011


On 10/10/2011 09:10, vincent at ...3611... wrote:
> Hello all,
>
> I wish to create a Snort signature to match a particular URI sequence. But, the
> latter part of the URI can vary. I have been told by others that the use of PCRE
> in Snort rules should be avoided at all costs due to the performance penalties
> of its use.​ Is this true? If so, is it possible to logically "OR" the content
> keyword to look for 1 of many possible, valid, URI sequences?

why is a PCRE needed? you cannot use just the non-changing portion of the URL? 
maybe i'm misunderstanding and it is not the whole "first part" that is the same?




More information about the Snort-sigs mailing list