[Snort-sigs] rule options

Zultan zultan at ...1298...
Sat Sep 13 08:02:05 EDT 2003


Does the count for the "depth" rule option start at 0 or 1.  (.pdf Manual does not say)

Does the "nocase" option apply to all content and uricontent option values in the rule, or just the one immediately preceding it?  (.pdf Manual seems to imply this.)


I've seen the recommendation to avoid rules like "any any -> any any", but is there a notable performance benefit for writing -

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any

vice -

alert tcp $HOME_NET any -> $EXTERNAL_NET any ?

In the above, is there a benefit to using EXTERNAL_NET vice "any" when the sensor is on the gateway, and any packet is sees from $HOME_NET would be on its way out the gateway?



Is there a notable performance hit for writing -

content:"Host\: "; content:"badserver.com"; within:20;
(or within:whatever);

vice -

content:"specific.badserver.com"; ?






-- 
__________________________________________________________
Sign-up for your own personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers





More information about the Snort-sigs mailing list