[Snort-devel] Order of rule options

Robin Sommer robin at ...1275...
Wed Aug 7 08:23:02 EDT 2002


Hi,

according to Snort's documentation, the order of options within a
rule is not significant. In particular, it states that the content
option is always tested as late as possible.

This doesn't seem to be the case all the time:

----- cut ------------------------------------------------------------
robin:~>diff -u snort.conf.1 snort.conf.2 
--- snort.conf.1        Tue Aug  6 20:16:52 2002
+++ snort.conf.2        Tue Aug  6 20:16:52 2002
@@ -498,4 +498,4 @@
 
  
   
-alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|00 00|"; ip_proto:2;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (ip_proto:2; content:"|00 00|";)
----- cut ------------------------------------------------------------
robin:~>time ./snort -l . -r trace -c snort.conf.1 -q
Initializing Output Plugins!
Run time for packet processing was 92.277611 seconds

real    1m31.824s
user    0m51.893s
sys     0m20.942s
----- cut ------------------------------------------------------------
robin:~>time ./snort -l . -r trace -c snort.conf.2 -q
Initializing Output Plugins!
Run time for packet processing was 84.127163 seconds

real    1m24.314s
user    0m39.921s
sys     0m21.438s
----- cut ------------------------------------------------------------

There is only this single rule in the config, and I've used the
latest CVS version.

Is this a bug?

Robin

P.S.: In the current CVS version, src/Makefile tries to
compile/link checksum.c which seems to be gone.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020807/b56efa24/attachment.sig>


More information about the Snort-devel mailing list