[Emerging-Sigs] Emerging-sigs Digest, Vol 35, Issue 62

Pedro Marinho pppmarinho at gmail.com
Thu Oct 14 09:07:30 EDT 2010


wow that is great to hear from you Evilghost

it was very funny indeed =>
i just keep buggin Matt and Will and Daniel all day asking "should i go with
that for this rule? is not better to go with this on this rule? there is
this rule here and i was wondering if.." and a lots of tests and coffee
later they are almost complete.. except for the web_specific_apps working on
it right now..
glad to hear the rules are fine..
=>


Message: 1
> Date: Wed, 13 Oct 2010 15:55:39 -0500
> From: "evilghost at packetmail.net" <evilghost at packetmail.net>
> Subject: [Emerging-Sigs] New ET Rulesets; praises and suggestions
> To: "Emerging-sigs at emergingthreats.net"
>        <Emerging-sigs at emergingthreats.net>
> Message-ID: <4CB61CCB.2020400 at packetmail.net>
> Content-Type: text/plain; charset="us-ascii"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I wanted to thank all those involved in the optimization of the Snort
> 2.6 ET rulesets; I can see a clear and measurable difference in CPU
> utilization and performance by using these on 2.8.6.1 sensors.  Fine job
> guys.
>
> I would like to see further optimization by suggesting replacement of:
>
> content:"GET "; depth:4; with content:"GET"; http_method;
> content:"GET "; nocase; depth:4; with content:"GET"; nocase; http_method;
> content:"POST "; depth:5; etc...
>
> An example SID would be 2011454 or 2009710.  Now, I know this is a
> little tricky since a distance:0 modifier in the next content match
> wouldn't be relative to http_method's buffer so this only makes sense
> for certain signatures.
>
> Again, thanks for the efforts folks.  Fine job.
>
> - -evilghost
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101014/a2674de4/attachment.html


More information about the Emerging-sigs mailing list