[Snort-users] Content-list Ordering

Scott Fringer fringsm at ...5133...
Thu Jul 11 10:41:03 EDT 2002


I'm writing a rule using the content-list directive, and per the
documentation have created my content file (read the online doc and FAQ).

My question is how is the processing of this file handled?  Is the list
checked top-down and exited as soon as a match is made, or is every entry
compared regardless of when/how many matches occur?  So, should I put more
specific content at the top leaving less strict content at the end?  Does
it really matter?  (Just wanting to make things as easy on Snort as
possible; granted this content matching rule is the only rule this sensor
will be processing.  It's running for a specialized purpose.)

Thanks,
 Scott

Scott Fringer                              Shands Healthcare @ U.F.
Network Systems Analyst                        Gainesville, FL





More information about the Snort-users mailing list