[Snort-devel] Rule evaluation order and flowbits?

c0uchw4rrior c0uchw4rrior at ...2499...
Tue Jan 22 14:56:40 EST 2008


Hey folks,

I have a pretty basic question regarding setting/checking flowbits. If
I have an alert rule R1 that sets a flowbit and another alert rule R2
that checks that flowbit, am I guaranteed that Snort will always
evaluate and match on R1 before R2?

It seems to me this would have to be the case for flowbits to work
reliably, but I wanted to confirm this before I start writing a bunch
of flowbit rules ;)

Thanks,
c0uch




More information about the Snort-devel mailing list