[Snort-users] Snort Optimization: Better to Pass a rule or Disable?

Mark Ewert mewert at ...10516...
Wed Nov 19 18:28:06 EST 2003

Quick question - in optimizing Snort - is it better to create a pass
rule for a rule that triggers falsely or disable it? If my understanding
is correct, Snort processes rules in their order in the config file (per
the rule order configuration - log, alert, etc...) - If a rule is
disabled (and not in the config file) does Snort still analyze the
traffic against its rule list (not finding a rule) therefore making a
pass rule more optimal (assuming Snort has been directed to examine pass
rules first, of course). I'd appreciate any wisdom from fellow Snorters.







Mark F. Ewert, Principal Systems Architect

Integrated Healthcare Information Services

www.ihcis.com <http://www.ihcis.com/> 


This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or 
other use of; or taking of any action in reliance upon this information
by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please send the e-mail back to notify the
sender and delete the message and its contents from any computers and
network systems involved in its receipt. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031119/ea9eb1ae/attachment.html>

More information about the Snort-users mailing list