[Snort-devel] Order of rule options

Chris Green cmg at ...402...
Mon Aug 12 06:37:03 EDT 2002


Robin Sommer <robin at ...1275...> writes:

> Speeding Up Rules That Have Content Options   
>
> The order that rules are tested by the detection engine is
> completely independent of the order that they are written in a rule.
> The last rule test that is done (when necessary) is always the
> content rule option. Take advantage of this fact by using other
> faster rule options that can detect whether or not the content needs
> to be checked at all.
> ----- cut ------------------------------------------------------------
>
> (my interpretation here is that "rules" in the first sentence is
> actually intended to be "options"). 
>
> Has this been correct for older versions?

After talking to marty, no it hasn't. Not sure where this lil nugget
of joy came from (doubtful it emanated from my noggin... :^)).  I'll
update the documentation for 1.9 to point this out.

Reordering them would result in a small performance gain. Long term,
as we make things such as Fisk's setwise stuff work correctly, it
shouldn't matter.
-- 
Chris Green <cmg at ...402...>
A good pun is its own reword.




More information about the Snort-devel mailing list