[Snort-users] PCRE

Brian bmc at ...950...
Fri Dec 19 12:13:03 EST 2003


On Fri, Dec 19, 2003 at 02:19:54PM -0500, adam.w.hogan wrote:
> Does using pcre in signatures tax the CPU?  When is it proper and/or
> efficient to use pcre?  I'm very familiar with perl regular
> expressions and it would be easier to write rules with pcre than
> content & distance, within, etc.  Is there a downside to using pcre
> for this? 
> 
> I suppose I ask because it sounds like too much of a good thing.
> Between pcre and thresholding I think it will be a lot easier and
> far more efficient to write rules for Snort.

If you can get away with writing rules without pcre, do it.  The
slowdown isn't really by using pcre, but by not using content.
Because of the multi-pattern matching fooo in the dection engine in
2.0 (and beyond), rules without content are MUCH slower than rules
that are just PCRE.

pcre rules should ALWAYS have at least ONE content keyword.  Also, if
you can get away with writing rules without PCRE, do it.  normal
pattern matching is still faster, it is just missing a few of the
wizbang features that are needed to do some types of detection.

-brian




More information about the Snort-users mailing list