[Snort-devel] Rules Engine

Jason Larsen larsjaso at ...282...
Tue Apr 10 03:27:01 EDT 2001

I'm trying to optimize the rules engine a little bit, but some of the code
takes a little to understand.  I'm thinking of arranging the rules in a

You don't have to apply the modifiers of all the rules to all the packets.
For instance.  A packet that has "flags:A" and "flags:S" are mutually
exclusive.  You could arrange the rules in a tree cutting out a bunch
of them at each branching.

For instance:

ALL Rules
|    |    |   |
S  A  P  No flags     flags

If a packet had only the SYN flag set, you could immediately eliminate the
branches for ACK and PUSH.  You could similarly eliminate branches based
on source/destination port/ip.

Each test would then eliminate more branches starting with the operations
that are
least CPU intensive and ending with the operations that are most CPU
intensive (content).
The fewer contents we have to actually execute the faster snort will run.

Just a thought.  What do you guys think?

More information about the Snort-devel mailing list