In message <[EMAIL PROTECTED]>,
Ton Voon writes:
>On 28 Jul 2008, at 16:27, John P. Rouillard wrote:
>> In any case, the patch you supplied
>>
>> + if ($ref->{"Type"} == SUPPRESS) { ++$ref->{"MatchCount"};
>> return 1; }
>>
>> if I understand it, doesn't evaluate the context expression at all, so
>> if I had a rule:
>>
>> type=suppress
>> context = from9to5
>> ptype=substr
>> pattern= charlie
>>
>> it would fire at all times not just when the from9to5 context was
>> true.
>> This is certainly incorrect.
>
>
>Yes, I've realised this too.
>
>It turns out that I've been using contexts when I should be using
>separate rule files. So I had a rule file like:
>
>type=suppress
>context=logtype1
>...
>
>type=single
>context=logtype1
>
>type=suppress
>context=logtype2
>
>type=single
>context=logtype2
>
>With a startup of -input file=logtype2
>
>Now this meant that all the rules for logtype1 had to be checked
>before logtype2 was being run.
>
>Moving the first suppress for logtype2 rules to the top of my testing
>decreased the time to 6 seconds. So the slowdown is due to evaluating
>lots of rules that are not applicable, rather than the context
>checking. In summary, this looks like user error at the moment.
Splitting the files is the best way. See:
http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf
pages 30-32 for an example of improving performance by using multiple
files and guard rules to segment your rule sets. (Note: I am the
author of the paper.)
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
