[Snort-users] order of rules in rule files?

Chris Green cmg at ...671...
Tue Feb 12 18:43:03 EST 2002


Jason Haar <Jason.Haar at ...294...> writes:

> On Tue, Feb 12, 2002 at 04:58:55PM -0600, Chris Green wrote:
>> Since snort cares about rule ordering and processes them in first per
>> port basis, it does actually matter where you put your rules.  The
>
> Wow - first time I've heard that. Is there any script for optimizing the
> rule order? I've bunged a whole bunch of internal rules into snort, I never
> thought I could optimize them by choosing where to put them...

I don't think I was very clear.  What I meant is that suppose there
are 5 rules that detect exploits for tcp $HOME_NET 80

uricontent: "/hi"
uricontent: "/hitme"
uricontent: "/hitme?with"
uricontent: "/hitme?with+"
uricontent: "/hitme?with+expl0its"

No matter what url you are hit with and the exploits one is the best
match, only the first one will be hit.  The end user optimization is
to avoid "dead" rules.

>
> In fact, doesn't that imply we should look at re-writing the snort rulesets
> into protocol-based sets instead of type (web*,smtp*,etc)? 

No. At some point in the foreseeable future, the detection engine will
be altered to do any or quickest match.  The less end user burden, the
better.

>
>
> Actually, if a script doesn't exist, I think even I could whack one up.
> Surely you could sort by protocol, and then ensure that all rules that
> contain "content" calls appear before rules that don't. That'd do a pretty
> good job...?


Rules are generally written with a catchall rule at the end. Please
ask further if I'm still being confusing
-- 
Chris Green <cmg at ...671...>
"I'm beginning to think that my router may be confused."




More information about the Snort-users mailing list