[Emerging-Sigs] FP on 2011031?

evilghost@packetmail.net evilghost at packetmail.net
Thu Oct 7 16:43:52 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 10/07/2010 03:38 PM, Eoin Miller wrote:
> Hmm, I think flipping that around might be better for performance now 
> that I think about it:
> 
> content:!"GET"; http_method; content:"get"; nocase; http_method;
> 
> Not sure though...

If we flip it then all HTTP methods except GET would be evaluated and
then checked if they matched "get"; nocase;.

The original way only HTTP GET methods are evaluated and then checked if
they do not match "GET".

I guess it depends on the zone and the amount of METHODs.  Not sure if
you can fast_pattern a negated match but afaik the fast_pattern match is
"get"; nocase;.  AFAIK the content matches are evaluated left to right
after the fast_pattern match.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMrjEIAAoJENgimYXu6xOHOisQAJxCD6tYWCM6z6jWTrW6nsyB
aDFDA08f5A3ZKE/mmK9zDlExRzME/YTg/InYrD3RifeLIEh4AstXvv3/iTxxRMFC
i6zDkkquf7AJ5o9uywTvGxtvQcjV1Sxe14ghXVKmXH+8qd8uzARG3Aw0arVrjJ8I
PStfABdYN1ICVs96cqzw204K7VP41bLPJyZ+1gJ4zVNqw+cLtYaC4FiAT97xlljI
+PSTqzX2c6dNpeaZ/fh2dJgnSRqHYItWxJ9K/6VY8OOXbJrcEb4mJgwvEauOHNeX
GwwSvR/WecEPdDaODA45vg0X12XqKEDeolLItessl+1wd37MtY3SaJzHeDM4tnE2
IW0MACK4DEnRUmFGI2X9+GnvZbvhxr2sSLtsyTcmjAwmIdzhW3dZWglyNLjzlCHR
W/QhsaBDurdlBJUOka1KxblelMvE5r8C2VWzwFPlqjX8x/aIWesQ1RmrVMezt2Tk
P+SOYnZ/M3Q5KAJF5WDcHP+l/QOPHW5pXK1LRgeeY/ibbs6SAggbNK78q5Syymtm
RQjKV/cRr2dZ5SMkj9DZUAc7rWVG/UFuSa0Kagd4u8V5yVEelml8VsC6N6mbEkpV
csvhafn2pSFY9UDV7BivN6PpIPl5EQJcNwqqDCoTdXnix6j3TPC2jnEkzk1OszJ1
jqlrK1SMqREMau31w06C
=TeiB
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list