[Snort-sigs] Microsoft Windows ShellExecute and IE7 url handling code execution
guise.mcallaster at ...2420...
Fri Jan 8 14:47:52 EST 2010
I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling
code execution attempt" not perform well. It is takes 15-20 times more
processing to check it than most rule. Here is what it has:
flow:to_client,established; content:".com"; nocase;
Can it be split up (mailto, telnet, news, nntp, snews) to add more content
match then just ".com"? ".com" will match on all web pages with links to
.com URLs and will cause the PCRE engine to engage. along with a greedy
wildcard. Other performance changes are welcome ass well.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs