Re: Rule performance profiling question

[waldo kitty <wkitty42 () windstream net>]

On 9/16/2010 09:07, Andy Berryman wrote:
> Joel wrote that they “both are SO rules.”
>
> What does that have to do with it? Does it make a difference that they are so
> rules?

yes... because they are GID:3 while the normal text rules in the *.rules files 
are GID:1... GID:3 are binary and if one is not using them, one cannot locate 
their SID ;)

with GID:3 being binary, there is also the problem of them having to be 
distributed in pre-compiled format... that means that they must be compatible 
with one's kernel and environment... if there are no pre-compiled rules that fit 
one's kernel and environment, then one cannot use GID:3 rules at all... well, 
not unless their source is available and can be compiled for one's 
environment... however, making the source for GID:3 rules available negates the 
reason for their existence in the first place... that reason is to prevent folk 
from seeing what is being detected and how so that they cannot work to avoid the 
detection...

IIUC, GID:3 rules detect traffic problems that have not yet been made public...

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users