Snort mailing list archives
Re: order of rules in rule files?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 13 Feb 2002 15:44:46 +1300
On Tue, Feb 12, 2002 at 08:41:48PM -0600, Chris Green wrote:
I don't think I was very clear. What I meant is that suppose there are 5 rules that detect exploits for tcp $HOME_NET 80 uricontent: "/hi" uricontent: "/hitme" uricontent: "/hitme?with" uricontent: "/hitme?with+" uricontent: "/hitme?with+expl0its" No matter what url you are hit with and the exploits one is the best match, only the first one will be hit. The end user optimization is to avoid "dead" rules.
Ah right - makes more sense.
No. At some point in the foreseeable future, the detection engine will be altered to do any or quickest match. The less end user burden, the better.
Rules are generally written with a catchall rule at the end. Please ask further if I'm still being confusing
Nope - I'm alright now - I'm no router ;-) -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- order of rules in rule files? Marc Dreher (Feb 12)
- Re: order of rules in rule files? Chris Green (Feb 12)
- Re: order of rules in rule files? Jason Haar (Feb 12)
- Re: order of rules in rule files? Chris Green (Feb 12)
- Re: order of rules in rule files? Jason Haar (Feb 12)
- Re: order of rules in rule files? Jason Haar (Feb 12)
- Re: order of rules in rule files? Chris Green (Feb 12)