[Emerging-Sigs] New ET Rulesets; praises and suggestions

waldo kitty wkitty42 at windstream.net
Wed Oct 13 20:24:12 EDT 2010


On 10/13/2010 16:55, evilghost at packetmail.net wrote:
> I would like to see further optimization by suggesting replacement of:
>
> content:"GET "; depth:4; with content:"GET"; http_method;
> content:"GET "; nocase; depth:4; with content:"GET"; nocase; http_method;
> content:"POST "; depth:5; etc...

i thought this was already done for many/most of the rules with the new rules sets??

what i'd like to see is the conversion of the threshold stuff in the RBN, 
dshield, botcnc and similar rules sets... that would eliminate ~1800 lines from 
my logs that are inserted by snort on every reload it does (at least 4 a day 
plus one each time my IP changes)...


More information about the Emerging-sigs mailing list