Re: order of rules in rule files?

[Jason Haar <Jason.Haar () trimble co nz>]

On Tue, Feb 12, 2002 at 08:41:48PM -0600, Chris Green wrote:
> I don't think I was very clear.  What I meant is that suppose there
> are 5 rules that detect exploits for tcp $HOME_NET 80
>
> uricontent: "/hi"
> uricontent: "/hitme"
> uricontent: "/hitme?with"
> uricontent: "/hitme?with+"
> uricontent: "/hitme?with+expl0its"
>
> No matter what url you are hit with and the exploits one is the best
> match, only the first one will be hit.  The end user optimization is
> to avoid "dead" rules.

Ah right - makes more sense.

> No. At some point in the foreseeable future, the detection engine will
> be altered to do any or quickest match.  The less end user burden, the
> better.

> Rules are generally written with a catchall rule at the end. Please
> ask further if I'm still being confusing

Nope - I'm alright now - I'm no router ;-)


-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users