[Snort-sigs] Functional Rule-chain?
Parker_Crook at ...2899...
Tue Jun 15 09:36:48 EDT 2010
I was doing some standard performance tuning on my ruleset and noticed a particular oddity the other day. I noticed rule 1:3819 spending a fair amount of time on a decent number of checks with no matches. So I opened up rule 3819 and noticed it is just a "flowbits:set, chm_content_type; flowbits:noalert" rule for use by rule 3820. So I took a look at 3820 and it is disabled by default.
So my question is: why is 3819 on by default when all it does is set a flag for use by 3820, which is off by default?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs