[Snort-devel] Order of rule options

Chris Green cmg at ...402...
Wed Aug 7 09:23:03 EDT 2002


Robin Sommer <robin at ...1275...> writes:

> Hi,
>
> according to Snort's documentation, the order of options within a
> rule is not significant.

"Will it pass? -> Yes/No" its not significant.

For the time being, it is significant from detection engine layout
checking of rule optiosn ( closer to the front of the rule, put the
quicker checks cause thats the way it happens ).

That's the type of stuff that's subject to change quickly and leaving
as much of that out of the user real and in the development realm is
desired so we can change the implementation very quickly.

Stablizing 1.9 so we can move forward with all that type of stuff is
what's occuring right now.

> In particular, it states that the content option is always tested as
> late as possible.

Please point out where. That is not correct at the moment.  Doing an
insertion sort of options is needed.
-- 
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-devel mailing list