Snort mailing list archives
Re: Snort 1.9 vs 2.0
From: Chris Green <cmg () sourcefire com>
Date: Fri, 11 Oct 2002 14:20:38 -0400
[ note: what I'm saying only applies to 2.0+ ] "Hervé Debar" <herve.debar () francetelecom com> writes:
So IIUC, snort-devel on snort.org is snort 2.0 on sourcefire, right ? Am I right in assuming that the rule writing is also changing ? Thanks,
The biggest end user change in this is that rule ordering matters a lot less than it used to. If you specify content options in a rule, multiple matches will alert on the longest singular content match. That decision was made to most closely approximate how the snort rule set was written with most exact less exact catch all rule systems -- Chris Green <cmg () sourcefire com> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.9 vs 2.0 Hervé Debar (Oct 10)
- Re: Snort 1.9 vs 2.0 Chris Green (Oct 10)
- Re: Snort 1.9 vs 2.0 Andreas Hasenack (Oct 10)
- Re: Snort 1.9 vs 2.0 Martin Roesch (Oct 10)
- Re: Snort 1.9 vs 2.0 Hervé Debar (Oct 11)
- Re: Snort 1.9 vs 2.0 Martin Roesch (Oct 11)
- Re: Snort 1.9 vs 2.0 Chris Green (Oct 11)
- Re: Snort 1.9 vs 2.0 Jens Krabbenhoeft (Oct 14)
- Re: Snort 1.9 vs 2.0 Andreas Hasenack (Oct 10)
- Re: Snort 1.9 vs 2.0 Florin Andrei (Oct 11)
- Re: Snort 1.9 vs 2.0 Erek Adams (Oct 11)
- Re: Snort 1.9 vs 2.0 Chris Green (Oct 10)