Snort mailing list archives

Re: Rule order?

From: Ralf Spenneberg <lists () spenneberg org>
Date: 18 Dec 2003 13:46:42 +0100

Am Mit, 2003-12-17 um 21.32 schrieb Toby Rodwell:

I think I might be missing something basic here.  I'm getting to grips with
Snort, trying out some really simple configs.  I'm use to rules being run in
the sequence they appear, so I my snort.conf is currently this:-

Unfortunately, thats not the way snort evaluates the rules. Depending on
the Snort version the rules are reordered differently.
Snort always reorders the rules to increase its performance. It
practically builds its rule engine on the fly. If you are using Snort
2.x there is a whitepaper on the Snort homepage explaining the
multirule-engine.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto                                  http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule order? Toby Rodwell (Dec 17)
- Re: Rule order? Ralf Spenneberg (Dec 18)
  - W32/Sober.b snort rule jbendure (Dec 18)