[Snort-sigs] Functional Rule-chain?

Crook, Parker Parker_Crook at ...2899...
Tue Jun 15 09:36:48 EDT 2010


Howdy all,



I was doing some standard performance tuning on my ruleset and noticed a particular oddity the other day.  I noticed rule 1:3819 spending a fair amount of time on a decent number of checks with no matches.  So I opened up rule 3819 and noticed it is just a "flowbits:set, chm_content_type; flowbits:noalert" rule for use by rule 3820.  So I took a look at 3820 and it is disabled by default.



So my question is: why is 3819 on by default when all it does is set a flag for use by 3820, which is off by default?



Cheers,

Parker

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100615/27b63c47/attachment.html>


More information about the Snort-sigs mailing list