Which options determine which packets are matched?

[Sweth Chandramouli <snort-users () astaroth sweth net>]

        I'm building a system that needs to be able to keep
track of different versions of snort filters.  Some of the filters that
I'm going to be cataloguing don't have any easy way to index them, so I've
finally come to terms with the fact that I need to build up a hashed index
of the various fields in the rule, and decide whether or not one rule is
"identical" to a previous rule based on how closely those fields match.

        The fields that I think determine what packets a given
filter matches are, for 1.7-style rules:

* ttl
* tos
* id
* ipoption
* fragbits
* dsize
* flags
* seq
* ack
* itype
* icode
* icmp_id
* icmp_seq
* content
* offset
* depth
* nocase
* rpc

        .  So, in theory, any pair of filters that are identical
for those fields are "the same", even if other options like msg happen
to be different.  Does my list above look right?  Am I missing anything
on it?  Is there anything on it that doesn't actually affect matching?

        Also, is there any documentation on the extensions that 1.8
adds to the options list?  The only examples I can find of those 
extensions are classtype, sid, and rev, and I can't find any 
explanations of what they do (although I have my ideas).

        Thanks,

        Sweth.

-- 
Sweth Chandramouli ; <svc () sweth net>

Attachment: _bin
Description: