Snort mailing list archives
Performance Question - content vs uricontent
From: dxp <dxp2532 () gmail com>
Date: Fri, 30 Jan 2009 12:16:56 -0500
The following snippet was taken from Emerging Threats mailing list discussion regarding optimizing one of the rules. Can someone here shed some light into this? --- snip --- by Martin Holste but academically speaking, can anyone say which is theoretically less load? For instance, in the below example, which would be faster: content:"POST "; depth:5; content:"/forms.cgi"; within:64; (or some other smallish integer to keep from scanning the entire flow) or content:"/forms.cgi HTTP"; depth:69; or does uricontent beat them both? --- snip --- - -=[ dxp ]=- 0xA3F3C6E3
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Performance Question - content vs uricontent dxp (Jan 30)
- Re: Performance Question - content vs uricontent Matt Olney (Jan 30)