Snort mailing list archives
Re: order of matching rules
From: Christopher Kruegel <chris () infosys tuwien ac at>
Date: Mon, 21 Oct 2002 16:51:53 +0200
Chris Green <cmg () sourcefire com> writes:
The site http://www.infosys.tuwien.ac.at/snort-ng/ mentions that "For some strange reason, Snort stops the detection process for a packet after the first matching rule - maybe to improve performance" while talking about snort-ng. Is this the way it works in Snort-1.9.0 too?For Snort-1.9.x yes. For Snort-2.0, no. There was a first exit match strategy first. The strange reason was once you got something you care about, why bother keeping going on and let the ruleset editors worry about rule ordering.
I think the fact that Snort 2.0 changed this behavior clearly indicates that a first exit strategy causes more problems that it solves. The massive number of alerts generated includes many that you do not care about - especially probing attacks. These are often filtered out automatically. You definitely do not want an attack that you care about being hidden behind a benign alert that gets discarded in an automatic way. Therefore, reporting _all_ rules that match seems to be a good idea.
If you're looking at snort-ng, look at the HEAD snort branch too. You'll be pleasantly suprised if you have the facilities to compare the two.
I wonder what that means exactly - could you be a bit more specific :) christopher kruegel ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- order of matching rules archana rao (Oct 16)
- Re: order of matching rules Chris Green (Oct 16)
- Re: order of matching rules archana rao (Oct 17)
- Re: order of matching rules Chris Green (Oct 22)
- Re: order of matching rules archana rao (Oct 17)
- Re: order of matching rules Matt Kettler (Oct 16)
- <Possible follow-ups>
- Re: order of matching rules Christopher Kruegel (Oct 22)
- Re: order of matching rules Christopher Kruegel (Oct 22)
- Re: order of matching rules Chris Green (Oct 22)
- Re: order of matching rules Chris Green (Oct 16)