Snort mailing list archives

Re: Snort 1.9 vs 2.0

From: Chris Green <cmg () sourcefire com>
Date: Fri, 11 Oct 2002 14:20:38 -0400

[ note: what I'm saying only applies to 2.0+ ]

"Hervé Debar" <herve.debar () francetelecom com> writes:


So IIUC, snort-devel on snort.org is snort 2.0 on sourcefire, right ?

Am I right in assuming that the rule writing is also changing ?

Thanks,


The biggest end user change in this is that rule ordering matters a
lot less than it used to. If you specify content options in a rule,
multiple matches will alert on the longest singular content match.

That decision was made to most closely approximate how the snort rule
set was written with

most exact
less exact
catch all

rule systems
-- 
Chris Green <cmg () sourcefire com>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 1.9 vs 2.0 Hervé Debar (Oct 10)
- Re: Snort 1.9 vs 2.0 Chris Green (Oct 10)
  - Re: Snort 1.9 vs 2.0 Andreas Hasenack (Oct 10)
    - Re: Snort 1.9 vs 2.0 Martin Roesch (Oct 10)
    - Re: Snort 1.9 vs 2.0 Hervé Debar (Oct 11)
    - Re: Snort 1.9 vs 2.0 Martin Roesch (Oct 11)
    - Re: Snort 1.9 vs 2.0 Chris Green (Oct 11)
    - Re: Snort 1.9 vs 2.0 Jens Krabbenhoeft (Oct 14)
    - Re: Snort 1.9 vs 2.0 Florin Andrei (Oct 11)
    - Re: Snort 1.9 vs 2.0 Erek Adams (Oct 11)