300-500 byte payloads are not that small by the standards of typical Hyperscan usage. We would be interested to see some feedback on usage of Hyperscan for log analysis. One potential pitfall is that many of these usages tend to be heavy users of capturing subexpressions. We did have a sub-project historically (Chimera) that supported capturing subexpressions and seamless fallback to libpcre (block or “non streaming” mode only) for patterns that Hyperscan could not support. Geoff. From: Hyperscan [mailto:hyperscan-bounces@lists.01.org] On Behalf Of Champ Clark III Sent: Tuesday, June 14, 2016 11:47 AM To: hyperscan(a)ml01.01.org Subject: [Hyperscan] Hyperscan with Sagan Hello, I've been following the introduction of Hyperscan as a libpcre replacement in tools like Snort and Suricata. I've been thinking about adding Hyperscan support into Sagan, a log analysis engine that I've been working on for several years (https://quadrantsec.com/sagan_log_analysis_engine/). I've just started looking over the API and Hyperscan looks interesting/straight forward. Since Sagan deals with pretty small "payloads" (log lines), which are typically 300-500 bytes in nature, I'm wondering if this will affect Hyperscan performance? Thanks! - Champ Clark III cclark@quadrantsec.com<mailto:cclark@quadrantsec.com>