Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Functional Rule-chain?

From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Tue, 15 Jun 2010 09:36:48 -0400
Howdy all,



I was doing some standard performance tuning on my ruleset and noticed a particular oddity the other day.  I noticed 
rule 1:3819 spending a fair amount of time on a decent number of checks with no matches.  So I opened up rule 3819 and 
noticed it is just a "flowbits:set, chm_content_type; flowbits:noalert" rule for use by rule 3820.  So I took a look at 
3820 and it is disabled by default.



So my question is: why is 3819 on by default when all it does is set a flag for use by 3820, which is off by default?



Cheers,

Parker


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: