Re: order of rules in rule files?

[Jason Haar <Jason.Haar () trimble co nz>]

On Tue, Feb 12, 2002 at 04:58:55PM -0600, Chris Green wrote:
> Since snort cares about rule ordering and processes them in first per
> port basis, it does actually matter where you put your rules.  The

Wow - first time I've heard that. Is there any script for optimizing the
rule order? I've bunged a whole bunch of internal rules into snort, I never
thought I could optimize them by choosing where to put them...

In fact, doesn't that imply we should look at re-writing the snort rulesets
into protocol-based sets instead of type (web*,smtp*,etc)? 

Actually, if a script doesn't exist, I think even I could whack one up.
Surely you could sort by protocol, and then ensure that all rules that
contain "content" calls appear before rules that don't. That'd do a pretty
good job...?

grep -i " tcp " *.rules > tcp.rules
grep -i " udp " *.rules > udp.rules
grep -i " icmp " *.rules > icmp.rules
egrep -iv " (tcp|icmp|udp) " *.rules > other.rules

egrep -i "content" tcp.rules > tcp-sorted.rules
egrep -iv "content" tcp.rules >> tcp-sorted.rules

etc...

cat tcp-sorted.rules udp-sorted.rules icmp-sorted.rules \
 other-sorted.rules > snort.rules
 
 
-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users