[Snort-users] order of matching rules
chris at ...7037...
Tue Oct 22 09:08:10 EDT 2002
Chris Green <cmg at ...1935...> writes:
>> The site http://www.infosys.tuwien.ac.at/snort-ng/ mentions that
>> "For some strange reason, Snort stops the detection process for a
>> packet after the first matching rule - maybe to improve performance"
>> while talking about snort-ng. Is this the way it works in
>> Snort-1.9.0 too?
>For Snort-1.9.x yes.
>For Snort-2.0, no.
>There was a first exit match strategy first. The strange reason was
>once you got something you care about, why bother keeping going on and
>let the ruleset editors worry about rule ordering.
I think the fact that Snort 2.0 changed this behavior clearly indicates that a
first exit strategy causes more problems that it solves. The massive number
of alerts generated includes many that you do not care about - especially
probing attacks. These are often filtered out automatically. You definitely
do not want an attack that you care about being hidden behind a benign alert
that gets discarded in an automatic way. Therefore, reporting _all_ rules
that match seems to be a good idea.
> If you're looking at snort-ng, look at the HEAD snort branch too.
> You'll be pleasantly suprised if you have the facilities to compare
> the two.
I wonder what that means exactly - could you be a bit more specific :)
More information about the Snort-users