[Emerging-Sigs] New ET Rulesets; praises and suggestions

evilghost@packetmail.net evilghost at packetmail.net
Wed Oct 13 18:37:36 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks guys, don't let my suggestions regarding http_method overshadow
the awesomeness of what you have accomplished.  We're excited and
there's measurable gains from your efforts.  To have undertaken such a
large task with success is a pretty daunting feat.

- -evilghost

On 10/13/2010 04:14 PM, Will Metcalf wrote:
> Yep working on it.  We still have a bit of work to do on web specific
> apps as a category.  Thanks for the kind words evil ;-)
> 
> Regards,
> 
> Will
> 
> On Wed, Oct 13, 2010 at 3:55 PM, evilghost at packetmail.net
> <evilghost at packetmail.net> wrote:
> I wanted to thank all those involved in the optimization of the Snort
> 2.6 ET rulesets; I can see a clear and measurable difference in CPU
> utilization and performance by using these on 2.8.6.1 sensors.  Fine job
> guys.
> 
> I would like to see further optimization by suggesting replacement of:
> 
> content:"GET "; depth:4; with content:"GET"; http_method;
> content:"GET "; nocase; depth:4; with content:"GET"; nocase; http_method;
> content:"POST "; depth:5; etc...
> 
> An example SID would be 2011454 or 2009710.  Now, I know this is a
> little tricky since a distance:0 modifier in the next content match
> wouldn't be relative to http_method's buffer so this only makes sense
> for certain signatures.
> 
> Again, thanks for the efforts folks.  Fine job.
> 
> -evilghost
> 
> 
> 
>>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMtjSwAAoJENgimYXu6xOHO9UP/240T/gHLWAhM2uP123MChIq
/JQtCOwTZwxobpb9q5ZVN2cb94I7PNPqeCd8DxlfDQFn8BLefndZ7XCbc8mmmncJ
TXRV6+Xd1GXlQprvEofzdyY0x3B3g69b0y6yGMbU4EgS7GCIv1kmZEPulXdtXnac
UFW6Pv+lW7JJcJ9tqBqqEi2s1Y7eLGyFiOVgLbaYxKpMOiR1SpS7G670xF9I3mfE
bjPyen4YAm459pP6jGKzCwvjeFZZeTDO1m0WRp3Qvu1wYvnd0CaL4SH24ZSGNmBE
MaCYJgbmF5hfv6WhtVGlUmvFjIv9ol3/Ii2LaWK5nDPyzdtL78dvCG2+TprLaptJ
GX8qwTzYOkQJAPF5rNT618j/1/9DJl/3KLjW5P4b5o8R20Gg0i2UM+FdBbe9Ccib
70keO59vQgWox2PkePe/psgs+MWhj/A/sb9hNcPZWKTpF+E9D54Tz8G6y8pUPXop
DPm8BlwUoUE0uKP/LFwBft32GWI+tQSe0y7kp8B+V+0IhJ5nVs2Lrl5UXwzUkhOg
SrKNn3SataIEprE6evRwSBIjN+mhg7hSkPDRykz+lsZw6ogb+Fnx1sguSS9Ulj7B
uTO3Ek3AAfRRnwJmlHSU9pgparYOGYYsFgAYCNe2mUEsNGFC2I61asSssHw/V9Xj
SVvW9JVj2IhPs6QBNyfB
=pnIC
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list