[Emerging-Sigs] FP on 2011031?

Eoin Miller eoin.miller at trojanedbinaries.com
Thu Oct 7 16:38:26 EDT 2010


  On 10/7/2010 8:33 PM, evilghost at packetmail.net wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/07/2010 03:30 PM, Eoin Miller wrote:
>> You could redo this with http_method content modifier. Would drastically
>> reduce the number of packets that this rule is inspecting:
>>
>> content:"get"; nocase; http_method; content:!"GET"; http_method;
> I absolutely agree, ideally all content:"GET "; nocase; depth:4 becomes
> http_method; nocase; across all the HTTP methods we detect on.
>
> --evilghost
>
Hmm, I think flipping that around might be better for performance now 
that I think about it:

content:!"GET"; http_method; content:"get"; nocase; http_method;

Not sure though...

-- Eoin




More information about the Emerging-sigs mailing list