Re: Overhead caused by PCRE?

[Matt Kettler <mkettler () evi-inc com>]

At 08:22 PM 2/28/2005, Jeff McCarthy wrote:
> I have a question regarding using PCRE in Snort rules.
> If I write 100 rules using content: and 100 using
> PCRE, will there be a noticable difference in
> processing time or CPU utilization?

That depends a lot on the regular expression...

Some regexes evaluate quickly... ie: /foo/ evaluates fast.. Probably a bit 
slower than a similar content rule, but not wildly so.

However, a regex with lots of combinations, back references, use of .* etc 
can really increase the complexity of a regex. These can be many orders of 
magnitude more complex..

For example let's add just a .* followed by a backreference to make the 
/foo/ regex more painful..
 /(foo).*\1/

Compare the number of offset annotation bytes in these two regexes. Look at 
the number of bytes of offset annotations...They've gone up to over tripple 
their previous size.

$ perl -Mre=debug -e  "/(foo).*\1/"
Freeing REx: `","'
Compiling REx `(foo).*\1'
size 11 Got 92 bytes for offset annotations.
first at 3
rarest char f at 0
   1: OPEN1(3)
   3:   EXACT <foo>(5)
   5: CLOSE1(7)
   7: STAR(9)
   8:   REG_ANY(0)
   9: REF1(11)
  11: END(0)


$ perl -Mre=debug -e  "/foo/"
Freeing REx: `","'
Compiling REx `foo'
size 3 Got 28 bytes for offset annotations.
first at 1
rarest char f at 0
   1: EXACT <foo>(3)
   3: END(0)






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users