Re: Snort 2.4.0 problem

[Frank Knobbe <frank () knobbe us>]

On Fri, 2005-07-29 at 11:06 -0500, Frank Knobbe wrote:
> > Any idea why and what 'Pure' is?  How can it not be supported at this
> > time if it's the latest version of snort? 2.3.3 seems to work fine.

Pure Not-rules are rules containing only a content:!"blah"; without a
'positive' content match (content:"blurb";).

The single match for "=" was dragging performance up since it occurred
before the pcre match, which is usually the way to go since content is
faster than pcre, but the match was no unique enough, incurring a lot of
recursion which hurt performance. Without that match, the performance
increased, but it seem because Snort just ignored that rule now :)

The content:"="; has been added again. Snort should now start without
those errors again. Changes have been committed to Bleeding. Please
update your Bleeding rules and try again.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part