[Emerging-Sigs] New ET Rulesets; praises and suggestions
evilghost at packetmail.net
Wed Oct 13 18:37:36 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Thanks guys, don't let my suggestions regarding http_method overshadow
the awesomeness of what you have accomplished. We're excited and
there's measurable gains from your efforts. To have undertaken such a
large task with success is a pretty daunting feat.
On 10/13/2010 04:14 PM, Will Metcalf wrote:
> Yep working on it. We still have a bit of work to do on web specific
> apps as a category. Thanks for the kind words evil ;-)
> On Wed, Oct 13, 2010 at 3:55 PM, evilghost at packetmail.net
> <evilghost at packetmail.net> wrote:
> I wanted to thank all those involved in the optimization of the Snort
> 2.6 ET rulesets; I can see a clear and measurable difference in CPU
> utilization and performance by using these on 22.214.171.124 sensors. Fine job
> I would like to see further optimization by suggesting replacement of:
> content:"GET "; depth:4; with content:"GET"; http_method;
> content:"GET "; nocase; depth:4; with content:"GET"; nocase; http_method;
> content:"POST "; depth:5; etc...
> An example SID would be 2011454 or 2009710. Now, I know this is a
> little tricky since a distance:0 modifier in the next content match
> wouldn't be relative to http_method's buffer so this only makes sense
> for certain signatures.
> Again, thanks for the efforts folks. Fine job.
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Emerging-sigs