[Emerging-Sigs] Emerging-sigs Digest, Vol 35, Issue 62
pppmarinho at gmail.com
Thu Oct 14 09:07:30 EDT 2010
wow that is great to hear from you Evilghost
it was very funny indeed =>
i just keep buggin Matt and Will and Daniel all day asking "should i go with
that for this rule? is not better to go with this on this rule? there is
this rule here and i was wondering if.." and a lots of tests and coffee
later they are almost complete.. except for the web_specific_apps working on
it right now..
glad to hear the rules are fine..
> Date: Wed, 13 Oct 2010 15:55:39 -0500
> From: "evilghost at packetmail.net" <evilghost at packetmail.net>
> Subject: [Emerging-Sigs] New ET Rulesets; praises and suggestions
> To: "Emerging-sigs at emergingthreats.net"
> <Emerging-sigs at emergingthreats.net>
> Message-ID: <4CB61CCB.2020400 at packetmail.net>
> Content-Type: text/plain; charset="us-ascii"
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I wanted to thank all those involved in the optimization of the Snort
> 2.6 ET rulesets; I can see a clear and measurable difference in CPU
> utilization and performance by using these on 184.108.40.206 sensors. Fine job
> I would like to see further optimization by suggesting replacement of:
> content:"GET "; depth:4; with content:"GET"; http_method;
> content:"GET "; nocase; depth:4; with content:"GET"; nocase; http_method;
> content:"POST "; depth:5; etc...
> An example SID would be 2011454 or 2009710. Now, I know this is a
> little tricky since a distance:0 modifier in the next content match
> wouldn't be relative to http_method's buffer so this only makes sense
> for certain signatures.
> Again, thanks for the efforts folks. Fine job.
> - -evilghost
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs