[Snort-devel] Re: Rules Engine

Jason Larsen larsjaso at ...282...
Tue Apr 10 03:37:42 EDT 2001


Scratch that thought.  I just caught up on the threads thread.

Jason Larsen
larsjaso at ...283...

----- Original Message -----
From: "Jason Larsen" <larsjaso at ...282...>
To: <snort-devel at lists.sourceforge.net>
Sent: Tuesday, April 10, 2001 1:27 AM
Subject: Rules Engine


> I'm trying to optimize the rules engine a little bit, but some of the code
> takes a little to understand.  I'm thinking of arranging the rules in a
> tree.
>
> You don't have to apply the modifiers of all the rules to all the packets.
> For instance.  A packet that has "flags:A" and "flags:S" are mutually
> exclusive.  You could arrange the rules in a tree cutting out a bunch
> of them at each branching.
>
> For instance:
>
> ALL Rules
> |    |    |   |
> S  A  P  No flags     flags
>
> If a packet had only the SYN flag set, you could immediately eliminate the
> branches for ACK and PUSH.  You could similarly eliminate branches based
> on source/destination port/ip.
>
> Each test would then eliminate more branches starting with the operations
> that are
> least CPU intensive and ending with the operations that are most CPU
> intensive (content).
> The fewer contents we have to actually execute the faster snort will run.
>
> Just a thought.  What do you guys think?
>





More information about the Snort-devel mailing list