From: Ivan Ristic <ivan.ristic@gm...> - 2006-08-22 10:46:27
Just as a follow-up to our recent discussion on performance:
ModSecurity uses the PCRE engine at the moment to match patterns
sequentially. On its own PCRE appears to be pretty fast. While some
gains can be achieved by using a different pattern matching algorithm
(e.g. I made some tests with Boyer=96Moore=96Horspool - see
http://en.wikipedia.org/wiki/Boyer-Moore-Horspool_algorithm) to really
speed things up one needs to move up to the set-based pattern
matching, where all patterns are matched at the same time.
There are many papers available on this subject on the Internet. By
way of an example, here's (a good) one:
Fast Content-Based Packet Handling for Intrusion Detection
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Get latest updates about Open Source Projects, Conferences and News.