[Snort-users] order of rules in rule files?

Jason Haar Jason.Haar at ...294...
Tue Feb 12 18:47:01 EST 2002

On Tue, Feb 12, 2002 at 08:41:48PM -0600, Chris Green wrote:
> I don't think I was very clear.  What I meant is that suppose there
> are 5 rules that detect exploits for tcp $HOME_NET 80
> uricontent: "/hi"
> uricontent: "/hitme"
> uricontent: "/hitme?with"
> uricontent: "/hitme?with+"
> uricontent: "/hitme?with+expl0its"
> No matter what url you are hit with and the exploits one is the best
> match, only the first one will be hit.  The end user optimization is
> to avoid "dead" rules.

Ah right - makes more sense.

> No. At some point in the foreseeable future, the detection engine will
> be altered to do any or quickest match.  The less end user burden, the
> better.

> Rules are generally written with a catchall rule at the end. Please
> ask further if I'm still being confusing

Nope - I'm alright now - I'm no router ;-)


Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

More information about the Snort-users mailing list