[Emerging-Sigs] FP on 2011031?
eoin.miller at trojanedbinaries.com
Thu Oct 7 16:38:26 EDT 2010
On 10/7/2010 8:33 PM, evilghost at packetmail.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 10/07/2010 03:30 PM, Eoin Miller wrote:
>> You could redo this with http_method content modifier. Would drastically
>> reduce the number of packets that this rule is inspecting:
>> content:"get"; nocase; http_method; content:!"GET"; http_method;
> I absolutely agree, ideally all content:"GET "; nocase; depth:4 becomes
> http_method; nocase; across all the HTTP methods we detect on.
Hmm, I think flipping that around might be better for performance now
that I think about it:
content:!"GET"; http_method; content:"get"; nocase; http_method;
Not sure though...
More information about the Emerging-sigs