Bluehost.com Web Hosting $6.95

[Snort-users] Re: [Snort-sigs] Overhead caused by PCRE?

This is a discussion on [Snort-users] Re: [Snort-sigs] Overhead caused by PCRE? within the Snort forums, part of the System Security and Security Related category; On Mon, Feb 28, 2005 at 05:22:43PM -0800, Jeff McCarthy wrote: > I have a question regarding using ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] Re: [Snort-sigs] Overhead caused by PCRE?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-02-2005
Brian
 
Posts: n/a
Default [Snort-users] Re: [Snort-sigs] Overhead caused by PCRE?
On Mon, Feb 28, 2005 at 05:22:43PM -0800, Jeff McCarthy wrote:
> I have a question regarding using PCRE in Snort rules. If I write
> 100 rules using content: and 100 using PCRE, will there be a
> noticable difference in processing time or CPU utilization?

Yes & No. I'll try to explain with the 4 different cases I come
across on a regular basis.

1) single rule, single string match

In the single rule string match case, both PCRE & content use
boyer-moore. However, pcre has a small amount of additional
function call overhead, giving content a slight win. However, in
most cases the additional overhead is negligible.

2) multiple single string match

If all the rules are doing is a simple string match, pcre will win
by a long shot if implemented as a single combined pcre statement.

While the multi-pattern match engine in Snort can be faster, the
additional function call overhead of evaluating multiple rules
makes pcre the clear winner.

This implementation has the drawback of Snort only generating a
single message for all of the patterns that make up the pcre. This
method should only be used when this drawback is acceptable.

See virus.rules for an example for an example of a "optomized"
combined pcre statement.

3) multiple rules, single string match and other detection plugins

content wins here, same as in the single rule single content.
Multiple pcre statements are slower than multiple contents.

4) multiple rules, complex pattern match

If the string match is more complicated than what can be
implemented with "strcmp", then pcre is the only way to go.
content can't do complicated pattern matching, so pcre is the only
method available. As such pcre wins.

Brian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 06:22 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0