Snort mailing list archives

Rule efficiency

From: "Isherwood, Jeffrey - IS" <Jeffrey.Isherwood () itt com>
Date: Fri, 23 Jul 2010 13:38:53 -0400

I'm on the lookout for some traffic to several domains that I have been asked to monitor... and I'm wondering which is 
more efficient, several rules that each only look for a domain name - or one rule that looks for many domain names at 
once?

Currently I'm doing the one at a time method, but the list of domains I need to monitor just quadrupled and I am unsure 
which would be more efficient...

Examples:
alert tcp any any -> any any (content:"baddomain.com"; nocase; priority:1; msg:"suspicious domain traffic alert 
baddomain.com "; classtype:string-detect; sid:1000422; gid:1; rev:1; )

alert tcp any any -> any any (content:"crappydomain.com"; nocase; priority:1; msg:"suspicious domain traffic alert 
crappydomain.com"; classtype:string-detect; sid:1000340; gid:1; rev:1; )

alert tcp any any -> any any (content:" shoulndtubworking.com "; nocase; priority:1; msg:"suspicious domain traffic 
alert shoulndtubworking.com"; classtype:string-detect; sid:1000420; gid:1; rev:1; )

alert tcp any any -> any any (content:"wasteoftime.net"; nocase; priority:1; msg:"suspicious domain traffic alert 
wasteoftime.net"; classtype:string-detect; sid:1000409; gid:1; rev:1; )


________________________________
This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual 
or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily 
represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of 
viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
  - Re: Rule efficiency Korodev (Jul 23)
  - Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
    - Re: Rule efficiency Alex Kirk (Jul 23)
    - Re: Rule efficiency Joel Esler (Jul 23)
    - Re: Rule efficiency Alex Kirk (Jul 23)
    - Re: Rule efficiency waldo kitty (Jul 23)
    - Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
    - Re: Rule efficiency Alex Kirk (Jul 23)
    - MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)

(Thread continues...)