[Snort-sigs] Functional Rule-chain?

Joel Esler jesler at ...435...
Tue Jun 15 11:42:45 EDT 2010


I'm sure VRT will look into this, however, just an FYI.  If you use PulledPork to update rules, PulledPork will autoresolve all the flowbit dependancies for you.


On Jun 15, 2010, at 9:36 AM, Crook, Parker wrote:

> Howdy all,
> I was doing some standard performance tuning on my ruleset and noticed a particular oddity the other day.  I noticed rule 1:3819 spending a fair amount of time on a decent number of checks with no matches.  So I opened up rule 3819 and noticed it is just a “flowbits:set, chm_content_type; flowbits:noalert” rule for use by rule 3820.  So I took a look at 3820 and it is disabled by default.
> So my question is: why is 3819 on by default when all it does is set a flag for use by 3820, which is off by default?

Joel Esler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100615/0cabf311/attachment.html>

More information about the Snort-sigs mailing list