On Tue, 2006-07-25 at 12:04 -0400, Joel Esler wrote:
Pass rules and Suppression are pretty much processed at the same time,
however, suppression does not require rule ordering, so it's preferred
your use Suppression.
Is that an accurate statement?
When a pass rule matches, the whole packet/stream is ignored, meaning
that any other rules are not matched (early out).
It is my understanding that suppression rules only become effective
after a signature match is successful, and if suppressed with that SID,
will not cause an alert *with that SID*. However, other SIDs may still
alert, so the packet/stream is getting evaluated by other rules.
So I can't see them being equal. In regards to performance it appears
that pass rules are faster (since no further matching occurs), which of
course means that one has to be careful using pass rules as they might
squelch other rules you might want an alert on.
At least I recall that working like this at some point in time. Has that
changed?
Regards,
Frank
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
signature.asc
Description: This is a digitally signed message part
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
