Rule Load Formula

It seems to me that it should be possible to create a somewhat simple
(or at least straightforward) formula for how much effort it takes to
process a given rule.  It could be as simple as a unit of snort
processing so that rule comparisons can be made, though not translated
directly to actual CPU cycles or other measurable real-world events.

I'm not sure if benchmarking or code-analysis (or some combination)
would prove the most accurate.  Obviously, different
compiling/architecture options affect Snort's performance, but it
seems to me that a theoretical performance formula is tangible based
on the source code.  I also think that it would be fair to assume that
the ac-bnfa matching algorithm is used, since it is destined to be the
default.

So, to that end, do you think this mailling list could put together
something to start a list of values where an oink = 1 unit of Snort
processing load.  Even estimated values would be helpful.

Matching    Oinks
content        x (per char)
pcre        x (per char)
rawbytes    x (per char)
uricontent    x (per char)
isdataat    x
byte_test    x
byte_jump    x
ftpbounce    x
regex        x (per char)

Modifiers    Oinks
nocase        x
depth        x
offset        x
distance    x
within        x

Non-payload    Oinks
fragoffset    x
ttl        x
tos        x
id        x
ipopts        x
fragbits    x
dsize        x
flags        x
flow        x
flowbits    x
seq        x
ack        x
window        x
itype        x
icode        x
icmp_id        x
icmp_seq    x
rpc        x
ip_proto    x
sameip        x

We'd then need to figure out multipliers for single/all ports and IP
filters as well as other miscellaneous additions to the formula.

So, if something like this has been done, please point me to it, but I
was unable to Google anything like this, and I figured that with all
of the seasoned Snort vets on this list we ought to be able to come up
with something.

--Martin