Re: [Snort-users] Overhead caused by PCRE?

At 08:22 PM 2/28/2005, Jeff McCarthy wrote:
>I have a question regarding using PCRE in Snort rules.
>If I write 100 rules using content: and 100 using
>PCRE, will there be a noticable difference in
>processing time or CPU utilization?

That depends a lot on the regular expression...

Some regexes evaluate quickly... ie: /foo/ evaluates fast.. Probably a bit
slower than a similar content rule, but not wildly so.

However, a regex with lots of combinations, back references, use of .* etc
can really increase the complexity of a regex. These can be many orders of
magnitude more complex..

For example let's add just a .* followed by a backreference to make the
/foo/ regex more painful..
/(foo).*\1/

Compare the number of offset annotation bytes in these two regexes. Look at
the number of bytes of offset annotations...They've gone up to over tripple
their previous size.

$ perl -Mre=debug -e "/(foo).*\1/"
Freeing REx: `","'
Compiling REx `(foo).*\1'
size 11 Got 92 bytes for offset annotations.
first at 3
rarest char f at 0
1: OPEN1(3)
3: EXACT <foo>(5)
5: CLOSE1(7)
7: STAR(9)
8: REG_ANY(0)
9: REF1(11)
11: END(0)


$ perl -Mre=debug -e "/foo/"
Freeing REx: `","'
Compiling REx `foo'
size 3 Got 28 bytes for offset annotations.
first at 1
rarest char f at 0
1: EXACT <foo>(3)
3: END(0)






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users