Re: Microsoft Windows ShellExecute and IE7 url handling code execution

[Guise McAllaster <guise.mcallaster () gmail com>]

Hello.

This rule is still pounding at my snort that is web traffic.  Any was we can
make it more efficient? I have not heard anything back.  Thanks.

Guise


On Fri, Jan 8, 2010 at 7:47 PM, Guise McAllaster <guise.mcallaster () gmail com
> wrote:

> I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling
> code execution attempt" not perform well.  It is takes 15-20 times more
> processing to check it than most rule.  Here  is what it has:
>
> flow:to_client,established; content:".com"; nocase;
> pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i";
>
> Can it be split up (mailto, telnet, news, nntp, snews) to add more content
> match then just ".com"?  ".com" will match on all web pages with links to
> .com URLs and will cause the PCRE engine to engage. along with a greedy
> wildcard.   Other performance changes are welcome ass well.
>
> Thanks.
>
> Guise
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs