Re: order of rules in rule files?

[Chris Green <cmg () uab edu>]

Marc Dreher <MarcDreher () gmx net> writes:

> Hi,
>
> I have a question on the order of the rules in the default snort rules
> files. I am thinking of a way to keep track of changes made to the default rules
> files. If I update the rules I want to know which rules changed.
> Mostly, the rules are ordered by increasing sids, but only mostly. Is there
> some higher logic behind the ordering? Do new rules to a default ruleset just
> get appended to the file or are they somehow inserted into the file (grouped
> with other rules of the same kind / vulnerability etc?)

Since snort cares about rule ordering and processes them in first per
port basis, it does actually matter where you put your rules.  The
linearaly progressing nature of the sids down a rule file is because
they were assigned after many of the rules were defined.

>  Diff as a possibility to compare the rulefiles would be easyest,
> but I am not sure if this is relyable.  Definitly relyable would be
> to sort the rules in each file by sid and then compare. Do I break
> the above mentioned higher logic if doing that :-)

The higher logic is

"GET A" should be checked before "GET"   so that the first one doesn't
catch all the instances.
-- 
Chris Green <cmg () uab edu>
Eschew obfuscation.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users