[Snort-users] Snort 1.9 vs 2.0

Chris Green cmg at ...1935...
Fri Oct 11 11:22:03 EDT 2002


[ note: what I'm saying only applies to 2.0+ ]

"Hervé Debar" <herve.debar at ...7137...> writes:
>
> So IIUC, snort-devel on snort.org is snort 2.0 on sourcefire, right ?
>
> Am I right in assuming that the rule writing is also changing ?
>
> Thanks,

The biggest end user change in this is that rule ordering matters a
lot less than it used to. If you specify content options in a rule,
multiple matches will alert on the longest singular content match.

That decision was made to most closely approximate how the snort rule
set was written with

most exact
less exact
catch all

rule systems
-- 
Chris Green <cmg at ...1935...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-users mailing list