No subject


Thu Nov 23 16:31:58 EST 2017


----- cut ------------------------------------------------------------
Speeding Up Rules That Have Content Options=20=20=20

The order that rules are tested by the detection engine is
completely independent of the order that they are written in a rule.
The last rule test that is done (when necessary) is always the
content rule option. Take advantage of this fact by using other
faster rule options that can detect whether or not the content needs
to be checked at all.
----- cut ------------------------------------------------------------

(my interpretation here is that "rules" in the first sentence is
actually intended to be "options").=20

Has this been correct for older versions?

If the options are evaluated in the order in which they are defined
within a rule, it could perhaps be worthwile to move the content
options to the end of all rules (I haven't checked how may rules
would be affected, but it's at least one :-)

Robin

--pWyiEgJYm5f9v55/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9Ud+21roSHXgzgW4RAtrMAJ4ha11MDkbQWmb/4uXli1VAOcPchQCfcw2H
XQcsV/vaBcCB1XUFCjb5KRg=
=OR2D
-----END PGP SIGNATURE-----

--pWyiEgJYm5f9v55/--




More information about the Snort-devel mailing list