Propose retire of SID 5320

["evilghost () packetmail net" <evilghost () packetmail net>]

Hello, SID 5320 (virus.rules) is a high cost rule and the singular 
uricontent match on a forward slash doesn't do much to reduce the load 
on the PCRE engine.  The PCRE appears to consist of multiple OR matches 
and is costly.  Since this rule is ancient, I would imagine retiring it 
would be wise.  Sober could be used as the new EICAR like "Blaster" and 
"Slammer".  This rule is enabled by default.  Your thoughts/input welcome.

This rule is a high cost rule, as discovered by profiling, against a 
high volume Snort process BPF'd and flow-pinned to inspect HTTP traffic.

Finally, if you wish to keep the rule may I suggest splitting it into 
separate rules with a precise uricontent match, PCRE if necessary, and 
perhaps an HTTP method as well?

Cheers,
evilghost

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs