Snort mailing list archives
Re: Microsoft Windows ShellExecute and IE7 url handling code execution
From: Guise McAllaster <guise.mcallaster () gmail com>
Date: Thu, 14 Jan 2010 19:53:07 +0000
Hello. This rule is still pounding at my snort that is web traffic. Any was we can make it more efficient? I have not heard anything back. Thanks. Guise On Fri, Jan 8, 2010 at 7:47 PM, Guise McAllaster <guise.mcallaster () gmail com
wrote:
I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt" not perform well. It is takes 15-20 times more processing to check it than most rule. Here is what it has: flow:to_client,established; content:".com"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i"; Can it be split up (mailto, telnet, news, nntp, snews) to add more content match then just ".com"? ".com" will match on all web pages with links to .com URLs and will cause the PCRE engine to engage. along with a greedy wildcard. Other performance changes are welcome ass well. Thanks. Guise
------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Microsoft Windows ShellExecute and IE7 url handling code execution Guise McAllaster (Jan 08)
- Re: Microsoft Windows ShellExecute and IE7 url handling code execution Guise McAllaster (Jan 14)
- Re: Microsoft Windows ShellExecute and IE7 url handling code execution Matt Olney (Jan 15)