Organize Your Rules
After you have trimmed your ruleset, you need to organize the rules in a logical, efficient manner. The goal of organizing the rules is to have rules that utilize content options execute last. You want Snort to check packets against rules that are not resource intensive first, with the hope that the packets will trigger on an OTN before reaching the computationally expensive content options. It is quite a task to merge all the rules into a single file, with the Boolean and mathematical rules first. You may want to wait until you have the ruleset solidified after a few weeks of use before attempting such a task.
Another strategy is to create rules that use non-content-based rules to alert on protocols that should not be present ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
