[Snort-devel] *.rules files parsing

Todd Wease twease at ...402...
Thu Nov 19 08:04:43 EST 2009


All non-rule configurations are parsed first because there may be some 
configuration options necessary for rules parsing, for example 
preprocessor rule options.  A second pass is then done to parse the rules.

On 11/19/2009 07:47 AM, alessandrorguard-snortml at ...2440... wrote:
> During some testing with parser.c it comes out that the rules files
> included in the snort.conf file gets included 2 times: the first in
> ParseSnortConf(), then in ParseRules().
> Is it correct?
> What are the differences in the two steps?
> Could any developer tell the structure of the parsed rules? The only documentation I’m finding on the net seems to be obsolete…
> Thanks!
>
> Alessandro R
>




More information about the Snort-devel mailing list