Re: order of matching rules

[Chris Green <cmg () snort org>]

archana rao <archuatdavis () yahoo com> writes:

> The site http://www.infosys.tuwien.ac.at/snort-ng/ mentions that
> "For some strange reason, Snort stops the detection process for a
> packet after the first matching rule - maybe to improve performance"
> while talking about snort-ng. Is this the way it works in
> Snort-1.9.0 too?

For Snort-1.9.x yes.

For Snort-2.0, no.

There was a first exit match strategy first.  The strange reason was
once you got something you care about, why bother keeping going on and
let the ruleset editors worry about rule ordering.

If you're looking at snort-ng, look at the HEAD snort branch too.
You'll be pleasantly suprised if you have the facilities to compare
the two.

> In what order are the rules matched against the incoming packets?Is
> it the order in which they are listed in the *.rules file?  Archana

Look through the mailing list archives for a description of the
RTN/OTN parsing.
-- 
Chris Green <cmg () sourcefire com>
To err is human, to moo bovine.


-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users