[Snort-sigs] Microsoft Windows ShellExecute and IE7 url handling code execution

Guise McAllaster guise.mcallaster at ...2420...
Fri Jan 8 14:47:52 EST 2010


I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling
code execution attempt" not perform well.  It is takes 15-20 times more
processing to check it than most rule.  Here  is what it has:

flow:to_client,established; content:".com"; nocase;
pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i";

Can it be split up (mailto, telnet, news, nntp, snews) to add more content
match then just ".com"?  ".com" will match on all web pages with links to
.com URLs and will cause the PCRE engine to engage. along with a greedy
wildcard.   Other performance changes are welcome ass well.

Thanks.

Guise
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100108/989ac8fa/attachment.html>


More information about the Snort-sigs mailing list