[Snort-devel] Re: Snort 2.0.5 hang/infinte loop

nick black dank at ...2285...
Thu Dec 11 06:00:03 EST 2003

In article <20031210163106.GL20147 at ...402...>, Jeremy Hewlett wrote:
> looking for the next occurance of the specified content. In short, 
> the non-content options (ie: dsize, ip_proto) should go first,
> and the content options last. This is the ideal way to write snort
> rules, as this increases performance.

If one can set such simple and machine-verifiable rules as these, why
doesn't snort simply optimize its internal representation of the rule
properly?  It's not as if there's result dependancies between the
logically ANDed terms here.

nick black <dank at ...2284...>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo

