Re: order of rules in rule files?

[Chris Green <cmg () uab edu>]

Jason Haar <Jason.Haar () trimble co nz> writes:

> On Tue, Feb 12, 2002 at 04:58:55PM -0600, Chris Green wrote:
> > Since snort cares about rule ordering and processes them in first per
> > port basis, it does actually matter where you put your rules.  The
>
> Wow - first time I've heard that. Is there any script for optimizing the
> rule order? I've bunged a whole bunch of internal rules into snort, I never
> thought I could optimize them by choosing where to put them...

I don't think I was very clear.  What I meant is that suppose there
are 5 rules that detect exploits for tcp $HOME_NET 80

uricontent: "/hi"
uricontent: "/hitme"
uricontent: "/hitme?with"
uricontent: "/hitme?with+"
uricontent: "/hitme?with+expl0its"

No matter what url you are hit with and the exploits one is the best
match, only the first one will be hit.  The end user optimization is
to avoid "dead" rules.

> In fact, doesn't that imply we should look at re-writing the snort rulesets
> into protocol-based sets instead of type (web*,smtp*,etc)? 

No. At some point in the foreseeable future, the detection engine will
be altered to do any or quickest match.  The less end user burden, the
better.

> Actually, if a script doesn't exist, I think even I could whack one up.
> Surely you could sort by protocol, and then ensure that all rules that
> contain "content" calls appear before rules that don't. That'd do a pretty
> good job...?


Rules are generally written with a catchall rule at the end. Please
ask further if I'm still being confusing
-- 
Chris Green <cmg () uab edu>
"I'm beginning to think that my router may be confused."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users