[Snort-devel] Optimized?

Martin Olsson
Fri Dec 19 05:27:02 EST 2003

Does snort optimize the "any" options to reduce CPU usage?

Given this two rules:

alert tcp any any -> any 80 (msg:"foo"; content: "foo"; .....)
alert tcp any -> 80 (msg:"foo"; content: "foo"; .....)

Is snort smart and only use CPU recources to match the dst-port and
content of rule #1, while it matches src, dst and dst-port for rule #2?

Or is snort "dumb" and always perform the matching mechanism on
*everything*, even if the field is set to any?

This question was rised when deciding what to set EXTERNAL_NET to.
Will EXTERNAL_NET=!$HOME_NET use more CPU than EXTERNAL_NET=any, given
that HOME_NET=


