[Snort-sigs] Functional Rule-chain?

Joel Esler jesler at ...435...
Tue Jun 15 11:42:45 EDT 2010


Parker,

I'm sure VRT will look into this, however, just an FYI.  If you use PulledPork to update rules, PulledPork will autoresolve all the flowbit dependancies for you.

J

On Jun 15, 2010, at 9:36 AM, Crook, Parker wrote:

> Howdy all,
>  
> I was doing some standard performance tuning on my ruleset and noticed a particular oddity the other day.  I noticed rule 1:3819 spending a fair amount of time on a decent number of checks with no matches.  So I opened up rule 3819 and noticed it is just a “flowbits:set, chm_content_type; flowbits:noalert” rule for use by rule 3820.  So I took a look at 3820 and it is disabled by default.
>  
> So my question is: why is 3819 on by default when all it does is set a flag for use by 3820, which is off by default?

--
Joel Esler


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100615/0cabf311/attachment.html>


More information about the Snort-sigs mailing list