[Snort-sigs] sid:13272; rule is not so good
miso.patel at ...2420...
Tue Dec 6 14:46:19 EST 2011
My engineers say rule sid:13272; is not performing good. Here is it:
misc.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"MISC Microsoft Windows ShellExecute and IE7 mailto url handling
code execution attempt"; flow:to_client,established;
security-ips drop, service http; reference:bugtraq,25945;
classtype:attempted-user; sid:13272; rev:3;)
They say it is just a 'mailto:' match (which seems common with the web
pages these days) and then a "Regular Expression" which is causing our
sensors to not like it and CPU is consumed.
I know we run a slightly older rules (due to antiquated hardware,
corporate bureaucratic red tape, etc.) but are all these rules so bad?
My engineers say this is not good and I wonder if we are detecting on
what we need to or if there are dropped packets due to so much bad
rules using CPU and RAM? Is there a better rule list I can use for my
More information about the Snort-sigs