[Snort-devel] rule processing order

Dan Aiello aielloda at ...1559...
Sun Sep 8 09:55:03 EDT 2002

Hey, everybody, I'm new to the list, and I wanted to solicit a little
help, if possible...

I'm working on a research project on IDSes and the effort to make them
more fault-tolerant. More specifically, we're looking at the order of rule
processing and if it can be changed dynamically. The purpose of this would
be to decay gracefully under a DOS attack or similar scenario. Hopefully,
we could reorder the way the rules are processed or possibly even turn
rules off dynamically to avoid dropping packets and missing another
simultaneous attack.

So, we are looking generally at that idea, but specifically using Snort as
a basis for examining this concept. I need to know how Snort currently
processes its rules and if there are plans to change this algorithm in the
near future. I have begun looking at the source code and searching through
the archives to answer these questions, but I thought that somebody might
be able to make my life easier by leading me in the right direction. I
figured this might be the place to pose such a question.

Any help would be appreciated -- other people/lists to contact, specific
places in the code to look, or even a general description if you are
familiar with the rules processing code.

Thank you in advance, and I apologize if this is just more clutter in your


P.S. I'm not actually subscribed to the list, so please reply to me
directly if you can help.

More information about the Snort-devel mailing list