Snort mailing list archives
Propose retire of SID 5320
From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Tue, 5 Jan 2010 13:40:35 -0600
Hello, SID 5320 (virus.rules) is a high cost rule and the singular uricontent match on a forward slash doesn't do much to reduce the load on the PCRE engine. The PCRE appears to consist of multiple OR matches and is costly. Since this rule is ancient, I would imagine retiring it would be wise. Sober could be used as the new EICAR like "Blaster" and "Slammer". This rule is enabled by default. Your thoughts/input welcome. This rule is a high cost rule, as discovered by profiling, against a high volume Snort process BPF'd and flow-pinned to inspect HTTP traffic. Finally, if you wish to keep the rule may I suggest splitting it into separate rules with a precise uricontent match, PCRE if necessary, and perhaps an HTTP method as well? Cheers, evilghost ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Propose retire of SID 5320 evilghost () packetmail net (Jan 05)