[Snort-users] order of matching rules

Christopher Kruegel chris at ...7037...
Tue Oct 22 09:08:10 EDT 2002


Chris Green <cmg at ...1935...> writes:

>> The site http://www.infosys.tuwien.ac.at/snort-ng/ mentions that
>> "For some strange reason, Snort stops the detection process for a
>> packet after the first matching rule - maybe to improve performance"
>> while talking about snort-ng. Is this the way it works in
>> Snort-1.9.0 too?
>
>For Snort-1.9.x yes.
>For Snort-2.0, no.
>
>There was a first exit match strategy first.  The strange reason was
>once you got something you care about, why bother keeping going on and
>let the ruleset editors worry about rule ordering.

I think the fact that Snort 2.0 changed this behavior clearly indicates that a 
first exit strategy causes more problems that it solves. The massive number 
of alerts generated includes many that you do not care about - especially 
probing attacks. These are often filtered out automatically. You definitely 
do not want an attack that you care about being hidden behind a benign alert 
that gets discarded in an automatic way.  Therefore, reporting _all_ rules 
that match seems to be a good idea.

> If you're looking at snort-ng, look at the HEAD snort branch too.
> You'll be pleasantly suprised if you have the facilities to compare
> the two.

I wonder what that means exactly - could you be a bit more specific :)

christopher kruegel




More information about the Snort-users mailing list