[Emerging-Sigs] FP on 2011031?

evilghost@packetmail.net evilghost at packetmail.net
Thu Oct 7 16:33:21 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/07/2010 03:30 PM, Eoin Miller wrote:
> You could redo this with http_method content modifier. Would drastically 
> reduce the number of packets that this rule is inspecting:
> 
> content:"get"; nocase; http_method; content:!"GET"; http_method;

I absolutely agree, ideally all content:"GET "; nocase; depth:4 becomes
http_method; nocase; across all the HTTP methods we detect on.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMri6RAAoJENgimYXu6xOHlHcP/39WW1NkLiom9AWoijo5Ufkq
HT/QbAY8Zw+y4Yw3RV1v9Ss2yV7n4oWXd3v8GyHMxDEmcsvVv/YXdyXTWIzRD8z0
IFyW7v00CLW+r6kFz6JGrL3iHXB/jOTLkSIVUtgFElK+IRWchHTVbCDOOBuIU0z2
ai42NUTxV3QuUswlS6W6h3AEPq1tFmrp3YLXmLigw2mAW0hTCpyPygLNHt9+tgnQ
LUEUOe9apERcs0WjUFMrlVLPdjCaetUSObXMcMLaQbTcO3oAVjYQ0c6JWu/gLm46
Eyra8ypQwxLQJ08mb9Yn9BEwt8o/cNZ7DtICxd+z6gU+SynUrAsIB34MHtPcnrBG
9QaeA2S7mLAc0ZGzR+AVs9s/HJ1LgDvLxZzpnp5fyxqY08ov04ekMNyOu2s7qLcL
uY+ywXet9UchLU5cTa9tXuBoN9+son5qo7Z5Gcbcd3iBH8ID8F1VzhNVHJpz+esH
lLHhz4RqZV6GamfWxgAh8mocpu2jbycW5BHaeKEabb35CS+EKFeILBpUepyWxWqI
nzOYRhnOXU7v0SvwB3CuVkUHe9nJgazPbGiMy5JUmwFb/jycuATMsl+kLmWquh+D
dEWaPErn3V1qDhrj0gxXj4fqds9LZ2l7mUFO36pDzIk1OAH2gK/EvYXJw3Bwzad+
/tUFwl2FlU9bVjF/7fl5
=MDlq
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list