[Snort-devel] Re: Snort 2.0.5 hang/infinte loop

Daniel J. Roelker droelker at ...402...
Thu Dec 11 15:23:24 EST 2003


Thanks Nick.  That's something we've had on the list of things to do for
a while, but right now we have other features/issues that we're
addressing.  Jeremy was just reiterating the optimal way for users to
write rules.

As always feel free to submit a patch . . . :)

Dan

On Wed, 2003-12-10 at 20:30, nick black wrote:
> In article <20031210163106.GL20147 at ...402...>, Jeremy Hewlett wrote:
> > looking for the next occurance of the specified content. In short, 
> > the non-content options (ie: dsize, ip_proto) should go first,
> > and the content options last. This is the ideal way to write snort
> > rules, as this increases performance.
> 
> If one can set such simple and machine-verifiable rules as these, why
> doesn't snort simply optimize its internal representation of the rule
> properly?  It's not as if there's result dependancies between the
> logically ANDed terms here.
> 
> -- 
> nick black <dank at ...2284...>
> "np:  nondeterministic polynomial-time
> the class of dashed hopes and idle dreams." - the complexity zoo
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-devel mailing list