|
|
LogAnalysis
Re: Re: [logs] regexless parsing, again? Sep 18 2007 04:51PM Marcus J. Ranum (mjr ranum com) (2 replies) Re: Re: [logs] regexless parsing, again? Sep 20 2007 12:59AM Mordechai T. Abzug (morty frakir org) (2 replies) Re: [logs] regexless parsing, again? Sep 20 2007 02:07PM Mike Heisler (mgh4 cornell edu) (2 replies) RE: [logs] regexless parsing, again? Sep 20 2007 07:31PM Rainer Gerhards (rgerhards hq adiscon com) (1 replies) Re: [logs] regexless parsing, again? Sep 24 2007 10:30PM Anton Chuvakin (anton chuvakin org) (3 replies) RE: [logs] regexless parsing, again? Sep 27 2007 04:41PM Eric Fitzgerald (Eric Fitzgerald microsoft com) (1 replies) RE: Re: [logs] regexless parsing, again? Sep 20 2007 06:48AM Rainer Gerhards (rgerhards hq adiscon com) |
|
Privacy Statement |
> Isn't this list moderated?
Yes, this list is moderated. I've been doing it solo (with occasional bursts
of assistance from Marcus) since its creation; I'm currently ably partnered
by Dee-Ann LeBlanc, of Splunk, who amongst other things is a Linux wizard.
I should point out for the sake of our non-Splunk vendor participants that I
moderate all posts originating from vendors, to try to minimize any vendor
bias. The list has been vendor neutral for a long time; I intend to keep it
that way.
> --- "Marcus J. Ranum" <mjr (at) ranum (dot) com [email concealed]> wrote:
>
> > >> There have been some amazing advances in hardware
> > to do PCRE.
> >
> > That'd the the "hardware turbo-charged lipstick on a
> > pig" option.
> Being a nobody in this sector, I personally like
> getting different points of views and hearing about
> these new methods and ideas for doing things.
Please don't belittle yourself and your experience. There are certainly a
few of us who are more vocal than most list members. Whether or not that's a
good thing, I don't know -- more input is great, higher levels of traffic
might be annoying...but in any event, every person who participates in a
discussion has the same right and expectation of being heard.
Anyways, didn't you say you were involved with security at Cisco? To me,
that implies a certain level of operational exposure and experience that
hardly qualifies you as a "nobody" -- I expect you must have a lot of data
and conclusions from the ginormous Cisco infrastructure that are quite
relevant to this discussion.
> A post like this really just mute the conversation.
> These "I know better then you" posts have basically
> killed this interesting thread without adding anything
> to it...
Have you been on this list for a while? If you've followed mjr's typical
posting style, this message will not seem out of place -- and the rest of us
tend to laugh and go on, or completely ignore them.
As far as I can tell by reviewing the last few messages in this thread, we
are at a point in the discussion best summarized by Tom Le:
"More like: "Marcus, you should separate discussion of regexes vs. other
parsing approaches into separate categories: performance, initial ruleset
development cost, and on-going maintenance."
Each discussion has it's pros and cons with different cost(x) *
complexity(y) functions depending on the what you're doing and size of your
rulesets. I was just trying to explore a deeper level of discussion than
the usual 'regexes suck' or 'PCRE performance sucks' or 'maintaining 100,000
rules is ugly' type discussions."
So far I've seen few substantive responses to Tom's summary. Come on, folks,
carry on! I have a lot of opinions on the development of regexes and
rulesets, mostly from my days at Counterpane. I don't have time right this
very moment to summarize them, but I will do so later on today.
In the meantime, the other 1800+ of you can carry the thread ;-)
Hope that helps -- tbird
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
[ reply ]