Snort Optimization: Better to Pass a rule or Disable?

["Mark Ewert" <mewert () ihcis com>]

Quick question - in optimizing Snort - is it better to create a pass
rule for a rule that triggers falsely or disable it? If my understanding
is correct, Snort processes rules in their order in the config file (per
the rule order configuration - log, alert, etc...) - If a rule is
disabled (and not in the config file) does Snort still analyze the
traffic against its rule list (not finding a rule) therefore making a
pass rule more optimal (assuming Snort has been directed to examine pass
rules first, of course). I'd appreciate any wisdom from fellow Snorters.

 

THANKS!

 

M

 

---------------------------------------------

Mark F. Ewert, Principal Systems Architect

Integrated Healthcare Information Services

www.ihcis.com <http://www.ihcis.com/> 

 


---------------------------------------------------------------------------
This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or 
other use of; or taking of any action in reliance upon this information
by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please send the e-mail back to notify the
sender and delete the message and its contents from any computers and
network systems involved in its receipt. Thank you.