[Snort-devel] Order of stream_size and dsize checks?

Joel Esler (jesler) jesler at ...3461...
Fri Mar 21 14:11:13 EDT 2014


You bring up a good point though, Harley, which is basically, if you put those checks first in the rule (before the content match) it can speed up the evaluation of the traffic by that rule.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Mar 21, 2014, at 12:06 PM, Steven Sturges <steve.sturges at ...402...<mailto:steve.sturges at ...402...>> wrote:

Rule options are evaluated in the order specified in the rule.

On 3/21/14, 11:56 AM, Harley H wrote:
Hello,
  Are stream_size and dsize checked following any or all content
matches or are they performed first?

-Harley


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech



_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140321/37e295e6/attachment.html>


More information about the Snort-devel mailing list