Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: order of matching rules

From: Chris Green <cmg () snort org>
Date: Tue, 22 Oct 2002 12:25:19 -0400
Christopher Kruegel <chris () infosys tuwien ac at> writes:


Chris Green <cmg () sourcefire com> writes:

I think the fact that Snort 2.0 changed this behavior clearly
indicates that a first exit strategy causes more problems that it
solves. The massive number of alerts generated includes many that
you do not care about - especially probing attacks. These are often
filtered out automatically. You definitely do not want an attack
that you care about being hidden behind a benign alert that gets
discarded in an automatic way.  Therefore, reporting _all_ rules
that match seems to be a good idea.


Back when one of my primary functions was an analyst, I often took
great pains to make sure that rule ordering didn't get in my way and
I'd have a exact match, close match, pick up everything ordering to my
ruleset.  I liked that approach when I was only a user of snort and
not one of the developer team.

I certainly don't want a deluge of alerts to further compound the
amount of data I'm looking at on a regular basis. The system should
make better inferences of what an analyst wants to see. 

Now, snort-2.0 uses a concept of "most exact match" which currently
goes based off the longest pattern match reached so it still only
generates one alert.  It just does it in a different manner to more
closely approximate HOW the ordering was used.




If you're looking at snort-ng, look at the HEAD snort branch too.
You'll be pleasantly suprised if you have the facilities to compare
the two.


I wonder what that means exactly - could you be a bit more specific
:)


That means compare the approaches with high amounts of traffic if you
have the resources to do so.
-- 
Chris Green <cmg () sourcefire com>
Fame may be fleeting but obscurity is forever.


-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: