Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
You'd have to have a common triggering condition for all three commands.. For instance:
alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established; content:"GET /"; depth:5; content:"GET"; http_method; content:...
1. If you can afford to enable it, and the customer has no privacy concerns, then yes, you can enable it.
2. AMP is not all hash based, despite what our competitors believe. There are many systems in AMP that identify malware *not* based on hash...
