[Snort-users] Rule order?

Ralf Spenneberg lists at ...9778...
Thu Dec 18 04:47:03 EST 2003


Am Mit, 2003-12-17 um 21.32 schrieb Toby Rodwell:
> I think I might be missing something basic here.  I'm getting to grips with
> Snort, trying out some really simple configs.  I'm use to rules being run in
> the sequence they appear, so I my snort.conf is currently this:-
Unfortunately, thats not the way snort evaluates the rules. Depending on
the Snort version the rules are reordered differently.
Snort always reorders the rules to increase its performance. It
practically builds its rule engine on the fly. If you are using Snort
2.x there is a whitepaper on the Snort homepage explaining the
multirule-engine.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org




More information about the Snort-users mailing list