[Snort-sigs] Microsoft Windows ShellExecute and IE7 url handling code execution

Guise McAllaster guise.mcallaster at ...2420...
Thu Jan 14 14:53:07 EST 2010


Hello.

This rule is still pounding at my snort that is web traffic.  Any was we can
make it more efficient? I have not heard anything back.  Thanks.

Guise


On Fri, Jan 8, 2010 at 7:47 PM, Guise McAllaster <guise.mcallaster at ...2420...
> wrote:

> I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling
> code execution attempt" not perform well.  It is takes 15-20 times more
> processing to check it than most rule.  Here  is what it has:
>
> flow:to_client,established; content:".com"; nocase;
> pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i";
>
> Can it be split up (mailto, telnet, news, nntp, snews) to add more content
> match then just ".com"?  ".com" will match on all web pages with links to
> .com URLs and will cause the PCRE engine to engage. along with a greedy
> wildcard.   Other performance changes are welcome ass well.
>
> Thanks.
>
> Guise
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100114/80c7e099/attachment.html>


More information about the Snort-sigs mailing list