[Snort-users] Overhead caused by PCRE?

Matt Kettler mkettler at ...4108...
Tue Mar 1 13:05:33 EST 2005


At 08:22 PM 2/28/2005, Jeff McCarthy wrote:
>I have a question regarding using PCRE in Snort rules.
>If I write 100 rules using content: and 100 using
>PCRE, will there be a noticable difference in
>processing time or CPU utilization?

That depends a lot on the regular expression...

Some regexes evaluate quickly... ie: /foo/ evaluates fast.. Probably a bit 
slower than a similar content rule, but not wildly so.

However, a regex with lots of combinations, back references, use of .* etc 
can really increase the complexity of a regex. These can be many orders of 
magnitude more complex..

For example let's add just a .* followed by a backreference to make the 
/foo/ regex more painful..
  /(foo).*\1/

Compare the number of offset annotation bytes in these two regexes. Look at 
the number of bytes of offset annotations...They've gone up to over tripple 
their previous size.

$ perl -Mre=debug -e  "/(foo).*\1/"
Freeing REx: `","'
Compiling REx `(foo).*\1'
size 11 Got 92 bytes for offset annotations.
first at 3
rarest char f at 0
    1: OPEN1(3)
    3:   EXACT <foo>(5)
    5: CLOSE1(7)
    7: STAR(9)
    8:   REG_ANY(0)
    9: REF1(11)
   11: END(0)


$ perl -Mre=debug -e  "/foo/"
Freeing REx: `","'
Compiling REx `foo'
size 3 Got 28 bytes for offset annotations.
first at 1
rarest char f at 0
    1: EXACT <foo>(3)
    3: END(0)








More information about the Snort-users mailing list