[Snort-devel] Question on portvar

Steven Sturges ssturges at ...402...
Mon Sep 8 08:48:44 EDT 2008


This was originally done for performance.

A portvar that is all negated ports can be written
as the inverse using a non negated list of ports.

snort user wrote:
>     /* check for a pure not rule - fatal if we find one */
>       FatalError("Pure NOT ports are not allowed!\n");
> 
> 
> Is there a reason for not supporting portvars for pure NOT rules?
> 
> 
> Thanks a lot !
> 
> 
> 
> 
> On Fri, Jul 25, 2008 at 5:12 PM, Steven Sturges
> <steve.sturges at ...402...> wrote:
>> The portvar changes affect how rules are grouped
>> and data is inserted into the fast pattern matcher.
>>
>> Doesn't affect the creation of the RTN/OTN.
>>
>> snort user wrote:
>>> Hello and greetings.
>>>
>>> I have a question about the portvar option of snort that was
>>> introduced a while back.
>>> When this change was made, did it affect only parser.c or did it
>>> affect the rest of the system - detection stage, how rtn/otn is
>>> created and looked up?
>>>
>>> Any help is appreciated.
>>>
>>> Thanks !
>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>> challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great
>>> prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>> world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
> 




More information about the Snort-devel mailing list