[Snort-sigs] Being killed by poor IE rules...

Guise McAllaster guise.mcallaster at ...2420...
Tue Jan 26 10:54:39 EST 2010


Hello.  The rules with SID 14645, 14643, 11966 are hammering my web
snorts.  The first two are GID:3 so I cannot be of help in making them
more good :( but the last one is this:



web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption
attempt"; flow:to_client,established;
pcre:"/\x3c[^\x3e]*style=[^\x3e]*csstext\x3a.*\x3e/i";
reference:bugtraq,24423; reference:cve,2007-1750;
reference:url,www.microsoft.com/technet/security/Bulletin/MS07-033.mspx;
classtype:attempted-user; sid:11966; rev:1;



Clearly the naked pcre is big no-no.  Here are some stats from
performance (notice how terrible it is):



SID 	GID     Checks   Matches    Alerts           Microsecs  Avg/Check
 Avg/Match Avg/Nonmatch   Disabled

=== 	===     ======   =======    ======               =====  =========
 ========= ============   ========

14645  	  3     158641         0         0            11579605
73.0        0.0         73.0          0

14643 	  3     158641         0         0             5870863
37.0        0.0         37.0          0

11966  	  1    5129886         0         0             5847694
1.1        0.0          1.1          0



SID 	GID     Checks   Matches    Alerts           Microsecs  Avg/Check
 Avg/Match Avg/Nonmatch   Disabled

=== 	===     ======   =======    ======               =====  =========
 ========= ============   ========

14645  	  3      31623         0         0             3878806
122.7        0.0        122.7          0

11966     1    1506965         0         0             1656476
1.1        0.0          1.1          0

14643     3      31623         0         0             1443499
45.6        0.0         45.6          0



I am starting to wonder about the Vrt snort rules ... raw pcre with no
content? ... and these GID:3 rules? ... makes me think what they are
hiding ... it is tough to get good community feedback when the rules
are hidden/compiled.  When I see such poor performing rules it shows
me a need for a person go go thru old rules and make them more good.
And I am the perfect person for this job (if I can work from France
but I don't think that would be problem).  I already feel like
SourceFire should be paying me, with all my good suggestion ;)



Guise




More information about the Snort-sigs mailing list