[Snort-sigs] How to NOT match on packets or streams
bmc at ...95...
Tue Feb 17 11:04:01 EST 2004
On Mon, Feb 02, 2004 at 04:51:05PM +0100, Martin Olsson wrote:
> Your hint about the no_stream option made me look at the right place in
> the manual. Here I find another option, only_stream, that answered my
> second question (in my previous mail).
> What is the default mode when neither no_stream nor only_stream are set?
> Given your rule above, will it look for the content and pcre in both the
> stream-über-packet and the individual frames? That seems to be a waste of
> CPU recources.
Not a ton. Remember, with 2.0 and beyond, snort doesn't attempt to
evaluate every rule for every packet. The multi-pattern matching foo
buys us quite a bit of speedup where it doesn't hurt to do duplicate
detection as badly. Its still "not good" but its not "bad".
More information about the Snort-sigs