PCRE and uricontent anchor

[Curt Shaffer <cshaffer () gmail com>]

I am attempting to write a rule that would capture a POST event to a url with a specific file. Here is an example:

https://www.example.com/abc.aspx?id=459184950

The id section is always different. We also want to look for any similar POSTS to any address. With that in mind, here 
is the basis of what we came up with.

alert tcp $home_net any -> $external_net 443 (msg:"Bad stuff potentially going on"; pcre:"a.\.aspx\?id=.*"; classtype: 
trojan-activity; sid:10000015; rev:1;)

My question is, I suppose can we use a pcre match with no content or uricontent anchor, but that would be a pretty slow 
rule most likely. Does anyone have a suggestion on how I could anchor this to make it more efficient?

Thanks

Curt
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs