Snort mailing list archives
Re: Microsoft Windows ShellExecute and IE7 url handling code execution
From: Matt Olney <molney () sourcefire com>
Date: Fri, 15 Jan 2010 09:31:20 -0500
I'll toss a perf bug on it. You are certainly right that the PCRE could be broken into multiple rules...there may be some other things we can try...I'll take a look at our research logs. In the meantime...cut the rule up as you suggest and add it to your local.rules. Give us any feedback you're willing to give. Sorry I didn't give you feedback a little quicker, but there are a lot of things afoot (!) right now and we're slammed. Matt On Fri, Jan 8, 2010 at 2:47 PM, Guise McAllaster <guise.mcallaster () gmail com> wrote:
I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt" not perform well. It is takes 15-20 times more processing to check it than most rule. Here is what it has: flow:to_client,established; content:".com"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i"; Can it be split up (mailto, telnet, news, nntp, snews) to add more content match then just ".com"? ".com" will match on all web pages with links to .com URLs and will cause the PCRE engine to engage. along with a greedy wildcard. Other performance changes are welcome ass well. Thanks. Guise ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Microsoft Windows ShellExecute and IE7 url handling code execution Guise McAllaster (Jan 08)
- Re: Microsoft Windows ShellExecute and IE7 url handling code execution Guise McAllaster (Jan 14)
- Re: Microsoft Windows ShellExecute and IE7 url handling code execution Matt Olney (Jan 15)