[Snort-sigs] How to NOT match on packets or streams

Brian bmc at ...95...
Tue Feb 17 11:04:01 EST 2004


On Mon, Feb 02, 2004 at 04:51:05PM +0100, Martin Olsson wrote:
> Your hint about the no_stream option made me look at the right place in
> the manual. Here I find another option, only_stream, that answered my
> second question (in my previous mail).
> 
> But...
> 
> What is the default mode when neither no_stream nor only_stream are set?

Check both.

> Given your rule above, will it look for the content and pcre in both the
> stream-über-packet and the individual frames? That seems to be a waste of
> CPU recources.

Not a ton.  Remember, with 2.0 and beyond, snort doesn't attempt to
evaluate every rule for every packet.  The multi-pattern matching foo
buys us quite a bit of speedup where it doesn't hurt to do duplicate
detection as badly.  Its still "not good" but its not "bad".

-brian




More information about the Snort-sigs mailing list