Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Performance Question - content vs uricontent

From: dxp <dxp2532 () gmail com>
Date: Fri, 30 Jan 2009 12:16:56 -0500
The following snippet was taken from Emerging Threats mailing list
discussion regarding optimizing one of the rules.  Can someone here shed
some light into this?

--- snip --- by Martin Holste

but academically speaking, can anyone say which is theoretically less
load?  For instance, in the below example, which would be faster:
 
        content:"POST "; depth:5; content:"/forms.cgi"; within:64;
(or some other smallish integer to keep from scanning the entire flow)
 
or 
        content:"/forms.cgi HTTP"; depth:69;
 
or
        does uricontent beat them both?

--- snip ---
-  

-=[ dxp ]=-
0xA3F3C6E3

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: