[Snort-devel] Re: Rules Engine
larsjaso at ...282...
Tue Apr 10 03:37:42 EDT 2001
Scratch that thought. I just caught up on the threads thread.
larsjaso at ...283...
----- Original Message -----
From: "Jason Larsen" <larsjaso at ...282...>
To: <snort-devel at lists.sourceforge.net>
Sent: Tuesday, April 10, 2001 1:27 AM
Subject: Rules Engine
> I'm trying to optimize the rules engine a little bit, but some of the code
> takes a little to understand. I'm thinking of arranging the rules in a
> You don't have to apply the modifiers of all the rules to all the packets.
> For instance. A packet that has "flags:A" and "flags:S" are mutually
> exclusive. You could arrange the rules in a tree cutting out a bunch
> of them at each branching.
> For instance:
> ALL Rules
> | | | |
> S A P No flags flags
> If a packet had only the SYN flag set, you could immediately eliminate the
> branches for ACK and PUSH. You could similarly eliminate branches based
> on source/destination port/ip.
> Each test would then eliminate more branches starting with the operations
> that are
> least CPU intensive and ending with the operations that are most CPU
> intensive (content).
> The fewer contents we have to actually execute the faster snort will run.
> Just a thought. What do you guys think?
More information about the Snort-devel