[Snort-devel] Rule evaluation order and flowbits?

Steven Sturges steve.sturges at ...402...
Tue Jan 22 15:04:09 EST 2008


flowbits should be used to track matches across different packets
of the same session.  It is not reliable within the same packet.

There is no guarantee that Snort will evaluate R1 before R2, as that
depends on either the order of occurrence of the longest pattern in
the rule (or if no pattern, the order in which the rules are parsed).

Cheers.
-steve

c0uchw4rrior wrote:
> Hey folks,
> 
> I have a pretty basic question regarding setting/checking flowbits. If
> I have an alert rule R1 that sets a flowbit and another alert rule R2
> that checks that flowbit, am I guaranteed that Snort will always
> evaluate and match on R1 before R2?
> 
> It seems to me this would have to be the case for flowbits to work
> reliably, but I wanted to confirm this before I start writing a bunch
> of flowbit rules ;)
> 
> Thanks,
> c0uch
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list