[Snort-sigs] sid:13272; rule is not so good
rmkml at ...174...
Tue Dec 6 16:47:36 EST 2011
Can you upgrade this rule to last revision (5) please?
Appear on SEU 501 at 22 sep 2011.
On Tue, 6 Dec 2011, Miso Patel wrote:
> My engineers say rule sid:13272; is not performing good. Here is it:
> misc.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"MISC Microsoft Windows ShellExecute and IE7 mailto url handling
> code execution attempt"; flow:to_client,established;
> pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy
> security-ips drop, service http; reference:bugtraq,25945;
> classtype:attempted-user; sid:13272; rev:3;)
> They say it is just a 'mailto:' match (which seems common with the web
> pages these days) and then a "Regular Expression" which is causing our
> sensors to not like it and CPU is consumed.
> I know we run a slightly older rules (due to antiquated hardware,
> corporate bureaucratic red tape, etc.) but are all these rules so bad?
> My engineers say this is not good and I wonder if we are detecting on
> what we need to or if there are dropped packets due to so much bad
> rules using CPU and RAM? Is there a better rule list I can use for my
> Thank you.
> Miso, CISO
More information about the Snort-sigs