[Snort-users] Snort 1.9 vs 2.0
cmg at ...1935...
Fri Oct 11 11:22:03 EDT 2002
[ note: what I'm saying only applies to 2.0+ ]
"Hervé Debar" <herve.debar at ...7137...> writes:
> So IIUC, snort-devel on snort.org is snort 2.0 on sourcefire, right ?
> Am I right in assuming that the rule writing is also changing ?
The biggest end user change in this is that rule ordering matters a
lot less than it used to. If you specify content options in a rule,
multiple matches will alert on the longest singular content match.
That decision was made to most closely approximate how the snort rule
set was written with
Chris Green <cmg at ...1935...>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
More information about the Snort-users