18 Aug 15:08
Re: Performance tip
Brian Rectanus <brectanu <at> gmail.com>
2006-08-18 13:08:42 GMT
2006-08-18 13:08:42 GMT
On 8/17/06, Tom Anderson <tanderso <at> oac-design.com> wrote: > Regarding readability, as far as I'm concerned, the shorter the better, > which is why condensed regexes are great. If you cannot read regexes, > that's what comments are for. But let's get serious -- any sysadmin > worth his salt needs to know how to read and write regular expressions. > To me, a regular expression is far more readable than a long English > comment or a multi-line block of code. If you have to translate it, do > so in a comment, but you shouldn't really need subtitles to use a common > system tool like regexes unless some particular pattern is really > convoluted or tricky. I don't think the comments should be for translating the RE, but instead what the REs purpose is or the logical steps it is is following in a chained rule. So, not 'matches foo followed by any chars up to bar', but 'detect foobar attack by looking for attack signature from CVE-blah'. Other comments could be an example of an attack request, etc. I think these comments are far more useful then trying to explain the RE syntax. For multiple attack signatures combined into a single rule via '|', this becomes hard to comment with just Apache comments. Although Ivan's note was for ORing simple rules -- which I think is good -- I am still not convinced that this gives that much performance benefit from anything but ORing simple matches like keywords. In other words, I don't think all cases will benefit here. I still have yet to see hard numbers that show that combining 100 complex rules down to one has performance benefits worth the extra complexity and error-prone nature of more complex rules. Anyone have hard stats with numbers they would like to share? -B ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
RSS Feed