[Snort-sigs] Microsoft Windows ShellExecute and IE7 url handling code execution

Matt Olney molney at ...435...
Fri Jan 15 09:31:20 EST 2010


I'll toss a perf bug on it.  You are certainly right that the PCRE
could be broken into multiple rules...there may be some other things
we can try...I'll take a look at our research logs.

In the meantime...cut the rule up as you suggest and add it to your
local.rules.  Give us any feedback you're willing to give.  Sorry I
didn't give you feedback a little quicker, but there are a lot of
things afoot (!) right now and we're slammed.

Matt

On Fri, Jan 8, 2010 at 2:47 PM, Guise McAllaster
<guise.mcallaster at ...2420...> wrote:
> I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling
> code execution attempt" not perform well.  It is takes 15-20 times more
> processing to check it than most rule.  Here  is what it has:
>
> flow:to_client,established; content:".com"; nocase;
> pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i";
>
> Can it be split up (mailto, telnet, news, nntp, snews) to add more content
> match then just ".com"?  ".com" will match on all web pages with links to
> .com URLs and will cause the PCRE engine to engage. along with a greedy
> wildcard.   Other performance changes are welcome ass well.
>
> Thanks.
>
> Guise
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>




More information about the Snort-sigs mailing list