Snort mailing list archives
Re: order of rules in rule files?
From: Chris Green <cmg () uab edu>
Date: Tue, 12 Feb 2002 20:41:48 -0600
Jason Haar <Jason.Haar () trimble co nz> writes:
On Tue, Feb 12, 2002 at 04:58:55PM -0600, Chris Green wrote:Since snort cares about rule ordering and processes them in first per port basis, it does actually matter where you put your rules. TheWow - first time I've heard that. Is there any script for optimizing the rule order? I've bunged a whole bunch of internal rules into snort, I never thought I could optimize them by choosing where to put them...
I don't think I was very clear. What I meant is that suppose there are 5 rules that detect exploits for tcp $HOME_NET 80 uricontent: "/hi" uricontent: "/hitme" uricontent: "/hitme?with" uricontent: "/hitme?with+" uricontent: "/hitme?with+expl0its" No matter what url you are hit with and the exploits one is the best match, only the first one will be hit. The end user optimization is to avoid "dead" rules.
In fact, doesn't that imply we should look at re-writing the snort rulesets into protocol-based sets instead of type (web*,smtp*,etc)?
No. At some point in the foreseeable future, the detection engine will be altered to do any or quickest match. The less end user burden, the better.
Actually, if a script doesn't exist, I think even I could whack one up. Surely you could sort by protocol, and then ensure that all rules that contain "content" calls appear before rules that don't. That'd do a pretty good job...?
Rules are generally written with a catchall rule at the end. Please ask further if I'm still being confusing -- Chris Green <cmg () uab edu> "I'm beginning to think that my router may be confused." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- order of rules in rule files? Marc Dreher (Feb 12)
- Re: order of rules in rule files? Chris Green (Feb 12)
- Re: order of rules in rule files? Jason Haar (Feb 12)
- Re: order of rules in rule files? Chris Green (Feb 12)
- Re: order of rules in rule files? Jason Haar (Feb 12)
- Re: order of rules in rule files? Jason Haar (Feb 12)
- Re: order of rules in rule files? Chris Green (Feb 12)