[Snort-devel] Re: Snort 2.0.5 hang/infinte loop

nick black dank at ...2285...
Thu Dec 11 06:00:03 EST 2003


In article <20031210163106.GL20147 at ...402...>, Jeremy Hewlett wrote:
> looking for the next occurance of the specified content. In short, 
> the non-content options (ie: dsize, ip_proto) should go first,
> and the content options last. This is the ideal way to write snort
> rules, as this increases performance.

If one can set such simple and machine-verifiable rules as these, why
doesn't snort simply optimize its internal representation of the rule
properly?  It's not as if there's result dependancies between the
logically ANDed terms here.

-- 
nick black <dank at ...2284...>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo





More information about the Snort-devel mailing list