elof at ...969...
Fri Dec 19 05:27:02 EST 2003
Does snort optimize the "any" options to reduce CPU usage?
Given this two rules:
alert tcp any any -> any 80 (msg:"foo"; content: "foo"; .....)
alert tcp 188.8.131.52 any -> 184.108.40.206 80 (msg:"foo"; content: "foo"; .....)
Is snort smart and only use CPU recources to match the dst-port and
content of rule #1, while it matches src, dst and dst-port for rule #2?
Or is snort "dumb" and always perform the matching mechanism on
*everything*, even if the field is set to any?
This question was rised when deciding what to set EXTERNAL_NET to.
Will EXTERNAL_NET=!$HOME_NET use more CPU than EXTERNAL_NET=any, given
More information about the Snort-devel