7.4 Rule Execution
Snort has
changed
the way rules are checked in recent versions. Rules are checked in
order of protocol (in this order: TCP/UDP, ICMP, and then IP). Beyond
that, the more discriminating rules will be checked first. A rule
that checks for a specific TCP port will get checked before an
"any" rule. A rule that has a
larger string in the rule content will get checked. For example, a
rule that checks for the content "Volume in drive C
has no label" will be checked before a rule with the
content "Volume in". Also note that
content-matching rules are checked before non-content-checking rules.
|
