A method and a device for optimizing and configuring a detection rule, where the method includes: a network entity receives network traffic; extracts a packet from the network traffic, and identifies, according to a feature of the packet, protocol related information used in the network; saves the protocol related information and correspondence between pieces of information in the protocol related information to a first learning association table; and matches a corresponding rule from a vulnerability rule base according to the protocol related information to generate a first compact rule set. Through the generated compact rule set in the present invention, subsequent protocol detection is performed only for a protocol threat that may occur in a live network; therefore, content that needs to be detected subsequently is reduced, the detection efficiency is improved, and unnecessary performance consumption is avoided at the same time.