[Snort-sigs] PCRE Performance

vincent at ...3611... vincent at ...3611...
Mon Oct 10 15:25:43 EDT 2011


I'm trying to match a specific URL that ends in 1, 2, or 3.  So, the following would all be successful matches:

/testing1.html
/testing2.html
/testing3.html

Thanks,

Vincent


On Mon, 10/10/2011 12:19 PM, Jamie Riden <jamie.riden at ...2420...> wrote:
> If it was avoid at *all* costs, they wouldn't have implemented it :)
> 
> Advice in the snort manual is to have your first match not be a PCRE
> though - more optimisation details available in the snort docs.
> 
> What are you trying to match anyway?
> 
> cheers,
>  Jamie
> 
> On 10 October 2011 14:10,  <vincent at ...3611...> wrote:
> > Hello all,
> >
> > I wish to create a Snort signature to match a particular URI sequence.  But,
> > the latter part of the URI can vary.  I have been told by others that the
> > use of PCRE in Snort rules should be avoided at all costs due to the
> > performance penalties of its use.  Is this true?  If so, is it possible to
> > logically "OR" the content keyword to look for 1 of many possible, valid,
> > URI sequences?
> >
> > Thanks!
> >
> > Vincent
> >
> > ------------------------------------------------------------------------------
> > All the data continuously generated in your IT infrastructure contains a
> > definitive record of customers, application performance, security
> > threats, fraudulent activity and more. Splunk takes this data and makes
> > sense of it. Business sense. IT sense. Common sense.
> > http://p.sf.net/sfu/splunk-d2dcopy1
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> 
> 
> 
> --
> Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
> http://uk.linkedin.com/in/jamieriden
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111010/5c088876/attachment.html>


More information about the Snort-sigs mailing list