[Snort-sigs] Microsoft Windows ShellExecute and IE7 url handling code execution
guise.mcallaster at ...2420...
Thu Jan 14 14:53:07 EST 2010
This rule is still pounding at my snort that is web traffic. Any was we can
make it more efficient? I have not heard anything back. Thanks.
On Fri, Jan 8, 2010 at 7:47 PM, Guise McAllaster <guise.mcallaster at ...2420...
> I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling
> code execution attempt" not perform well. It is takes 15-20 times more
> processing to check it than most rule. Here is what it has:
> flow:to_client,established; content:".com"; nocase;
> Can it be split up (mailto, telnet, news, nntp, snews) to add more content
> match then just ".com"? ".com" will match on all web pages with links to
> .com URLs and will cause the PCRE engine to engage. along with a greedy
> wildcard. Other performance changes are welcome ass well.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs