You may be familiar with the "top-down" matching approach from the world of firewalls. When a firewall encounters...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
new traffic, it starts at the top of its rule base and checks each rule to see if it matches the traffic. When the firewall finds a match, it performs the specified action and stops checking. Even if traffic matches more than one firewall rule, it will only be affected by the rule base's highest priority rule: the one that is first from the top.
IPS sensors typically use the same methodology: they process intrusion signatures beginning at the top of the list and then perform the action specified in the first matching rule. For this reason, it's important for every organization to sort its IPS signatures so that the most important rules are at the top. That way, when a packet matches multiple signatures, you'll be certain that the highest priority rule dictates the IPS response. Sorting your rules in this manner is a fairly simple process. In fact, the easiest way to approach this problem is to order them by the severity of the response: place all of your "reject" rules at the top of the list, followed by your "alert" rules, followed by your "allow" rules. This will ensure that the strongest applicable response takes priority.