[Snort-users] order of rules in rule files?
Jason.Haar at ...294...
Tue Feb 12 18:47:01 EST 2002
On Tue, Feb 12, 2002 at 08:41:48PM -0600, Chris Green wrote:
> I don't think I was very clear. What I meant is that suppose there
> are 5 rules that detect exploits for tcp $HOME_NET 80
> uricontent: "/hi"
> uricontent: "/hitme"
> uricontent: "/hitme?with"
> uricontent: "/hitme?with+"
> uricontent: "/hitme?with+expl0its"
> No matter what url you are hit with and the exploits one is the best
> match, only the first one will be hit. The end user optimization is
> to avoid "dead" rules.
Ah right - makes more sense.
> No. At some point in the foreseeable future, the detection engine will
> be altered to do any or quickest match. The less end user burden, the
> Rules are generally written with a catchall rule at the end. Please
> ask further if I'm still being confusing
Nope - I'm alright now - I'm no router ;-)
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the Snort-users