[Snort-devel] Optimized?

Martin Olsson elof at ...969...
Fri Dec 19 05:27:02 EST 2003


Does snort optimize the "any" options to reduce CPU usage?

Given this two rules:

alert tcp any any -> any 80 (msg:"foo"; content: "foo"; .....)
alert tcp 1.1.1.1 any -> 2.2.2.2 80 (msg:"foo"; content: "foo"; .....)

Is snort smart and only use CPU recources to match the dst-port and
content of rule #1, while it matches src, dst and dst-port for rule #2?

Or is snort "dumb" and always perform the matching mechanism on
*everything*, even if the field is set to any?


This question was rised when deciding what to set EXTERNAL_NET to.
Will EXTERNAL_NET=!$HOME_NET use more CPU than EXTERNAL_NET=any, given
that HOME_NET=192.168.0.0/16?

/Martin





More information about the Snort-devel mailing list