7.4 Rule Execution

   

Snort has changed the way rules are checked in recent versions. Rules are checked in order of protocol (in this order: TCP/UDP, ICMP, and then IP). Beyond that, the more discriminating rules will be checked first. A rule that checks for a specific TCP port will get checked before an "any" rule. A rule that has a larger string in the rule content will get checked. For example, a rule that checks for the content "Volume in drive C has no label" will be checked before a rule with the content "Volume in". Also note that content-matching rules are checked before non-content-checking rules.



Managing Security With Snort and IDS Tools
Managing Security with Snort and IDS Tools
ISBN: 0596006616
EAN: 2147483647
Year: 2006
Pages: 136

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net