[Snort-users] Rule performance profiling question

waldo kitty wkitty42 at ...14940...
Thu Sep 16 11:24:26 EDT 2010


On 9/16/2010 09:07, Andy Berryman wrote:
> Joel wrote that they “both are SO rules.”
>
> What does that have to do with it? Does it make a difference that they are so
> rules?

yes... because they are GID:3 while the normal text rules in the *.rules files 
are GID:1... GID:3 are binary and if one is not using them, one cannot locate 
their SID ;)

with GID:3 being binary, there is also the problem of them having to be 
distributed in pre-compiled format... that means that they must be compatible 
with one's kernel and environment... if there are no pre-compiled rules that fit 
one's kernel and environment, then one cannot use GID:3 rules at all... well, 
not unless their source is available and can be compiled for one's 
environment... however, making the source for GID:3 rules available negates the 
reason for their existence in the first place... that reason is to prevent folk 
from seeing what is being detected and how so that they cannot work to avoid the 
detection...

IIUC, GID:3 rules detect traffic problems that have not yet been made public...




More information about the Snort-users mailing list