Remove many pcre in favor of meta_content for preformance reasons.

apache.rules

@@ -41,7 +41,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Rapid attempt to acc
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access a non-existent file or stream"; pcre: "/failed opening|failed to open stream/i"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000378; parse_src_ip: 1; sid:5000378; rev:8;)
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI in request"; content: "Invalid URI in request"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000162; parse_src_ip: 1; sid:5000162; rev:7;)
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI, file name too long"; content: "file name too long"; content: "URI too long"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000163; parse_src_ip: 1; sid:5000163; rev:7;)
-alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Mod_Security Access denied"; pcre: "/modsecurity|mod_security|mod_security-message/i"; content: "access denied"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000165; parse_src_ip: 1; sid:5000165; rev:7;)
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Mod_Security Access denied"; meta_content: "%sagan%",modsecurity,mod_security,mod_security-message; content: "access denied"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000165; parse_src_ip: 1; sid:5000165; rev:8;)
 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Resource temporarily unavailable"; content: "Resource temporarily unavailable"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000166; parse_src_ip: 1; sid:5000166; rev:7;)
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 1"; content: "?C=S;O=A"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000359; parse_src_ip: 1; sid: 5000359; rev:8;)
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 2"; content: "?C=M;O=A"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000360; parse_src_ip: 1; sid: 5000360; rev:8;)

as400.rules

@@ -38,7 +38,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL fail - passwo
 
 # 10.16.101.200|local6|alert|alert|b1|2018-03-19|05:25:26|CSYS| iSecurity/Audit: MVP1600 VP/P *AUTFAIL User GUEST; An incorrect network password was used. Server *SYSTEM. Computer ::ffff:1.
 
-alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - incorrect network password was used; content: " MVP1600 "; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003773; sid:5003773; rev:2;)
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - incorrect network password was used"; content: " MVP1600 "; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003773; sid:5003773; rev:2;)
 
 # 10.16.101.200|local6|alert|alert|b1|2018-03-14|14:41:26|CSYS| iSecurity/Audit: MAF0100 AF/A *AUTFAIL User GUEST; Not authorized to object QSYS/XXXXXXX *LIB in program /. Path name .
 

bash.rules

@@ -56,11 +56,11 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Remote execution attem
 
 # Submitted by Aleksey Chudov (07/14/2015). 
 
-alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] History hiding"; content:"HISTORY"; pcre:"/\s+(HISTFILE|HISTFILESIZE|HISTSIZE)/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002303; rev:2;)
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] History hiding"; content:"HISTORY"; meta_content: " %sagan%",HISTFILE,HISTFILESIZE,HISTSIZE; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002303; rev:3;)
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] History hiding"; content:"HISTORY"; pcre:"/\s+history\s+(-\w+\s+)*-\w*(c|d|w)/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002304; rev:2;)
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] .mysql_history access"; content:"HISTORY"; content:".mysql_history"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002305; rev:2;);
 
-alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Netcat execution"; content:"HISTORY"; pcre:"/\s+(nc|ncat|netcat)\s+/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002306; rev:2;)
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Netcat execution"; content:"HISTORY"; meta_content: " %sagan% ",nc,ncat,netcat; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002306; rev:3;)
 
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Python socket execution"; content:"HISTORY"; content:"python"; content:"socket"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002307; rev:2;);
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Python subproces execution"; content:"HISTORY"; content:"python"; content:"subproces"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002308; rev:2;)