[Snort-sigs] PCRE Performance

Jamie Riden jamie.riden at ...2420...
Mon Oct 10 12:19:49 EDT 2011

If it was avoid at *all* costs, they wouldn't have implemented it :)

Advice in the snort manual is to have your first match not be a PCRE
though - more optimisation details available in the snort docs.

What are you trying to match anyway?


On 10 October 2011 14:10,  <vincent at ...3611...> wrote:
> Hello all,
> I wish to create a Snort signature to match a particular URI sequence.  But,
> the latter part of the URI can vary.  I have been told by others that the
> use of PCRE in Snort rules should be avoided at all costs due to the
> performance penalties of its use.  Is this true?  If so, is it possible to
> logically "OR" the content keyword to look for 1 of many possible, valid,
> URI sequences?
> Thanks!
> Vincent
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...

More information about the Snort-sigs mailing list