Snort mailing list archives
Re: [Snort-sigs] Overhead caused by PCRE?
From: Brian <bmc () snort org>
Date: Wed, 2 Mar 2005 11:15:08 -0500
On Mon, Feb 28, 2005 at 05:22:43PM -0800, Jeff McCarthy wrote:
I have a question regarding using PCRE in Snort rules. If I write 100 rules using content: and 100 using PCRE, will there be a noticable difference in processing time or CPU utilization?
Yes & No. I'll try to explain with the 4 different cases I come across on a regular basis. 1) single rule, single string match In the single rule string match case, both PCRE & content use boyer-moore. However, pcre has a small amount of additional function call overhead, giving content a slight win. However, in most cases the additional overhead is negligible. 2) multiple single string match If all the rules are doing is a simple string match, pcre will win by a long shot if implemented as a single combined pcre statement. While the multi-pattern match engine in Snort can be faster, the additional function call overhead of evaluating multiple rules makes pcre the clear winner. This implementation has the drawback of Snort only generating a single message for all of the patterns that make up the pcre. This method should only be used when this drawback is acceptable. See virus.rules for an example for an example of a "optomized" combined pcre statement. 3) multiple rules, single string match and other detection plugins content wins here, same as in the single rule single content. Multiple pcre statements are slower than multiple contents. 4) multiple rules, complex pattern match If the string match is more complicated than what can be implemented with "strcmp", then pcre is the only way to go. content can't do complicated pattern matching, so pcre is the only method available. As such pcre wins. Brian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No netmask specified for home network Peter Rodger (Feb 23)
- <Possible follow-ups>
- Re: No netmask specified for home network Sean Brown (Feb 23)
- Overhead caused by PCRE? Jeff McCarthy (Feb 28)
- Re: Overhead caused by PCRE? Matt Kettler (Mar 01)
- Re: [Snort-sigs] Overhead caused by PCRE? Brian (Mar 02)
- Overhead caused by PCRE? Jeff McCarthy (Feb 28)
- RE: No netmask specified for home network Peter Rodger (Feb 25)