Content-list Ordering

[Scott Fringer <fringsm () is2 hsnet ufl edu>]

I'm writing a rule using the content-list directive, and per the
documentation have created my content file (read the online doc and FAQ).

My question is how is the processing of this file handled?  Is the list
checked top-down and exited as soon as a match is made, or is every entry
compared regardless of when/how many matches occur?  So, should I put more
specific content at the top leaving less strict content at the end?  Does
it really matter?  (Just wanting to make things as easy on Snort as
possible; granted this content matching rule is the only rule this sensor
will be processing.  It's running for a specialized purpose.)

Thanks,
 Scott

Scott Fringer                              Shands Healthcare @ U.F.
Network Systems Analyst                        Gainesville, FL



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
PC Mods, Computing goodies, cases & more
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users