You'd have to have a common triggering condition for all three commands.. For instance:
alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established; content:"GET /"; depth:5; content:"GET"; http_method; content:...
1. If you can afford to enable it, and the customer has no privacy concerns, then yes, you can enable it.
2. AMP is not all hash based, despite what our competitors believe. There are many systems in AMP that identify malware *not* based on hash...