Re: Possible FP 10505

[Kevin Ross <kevross33 () googlemail com>]

This rule's PCRE is horrid:

a) unescape is very common so it will be moving onto PCRE extremely
frequently. Perhaps when this rule was written obfuscation and unescape
wasn't as common in normal traffic as it is now
b) the pcre is long with lots of different match possibilities (not
necessary a bad thing as I have written ET rules where there is no choice
but with such a common content match it will be working through them often.

Perhaps it needs looked at to improve as I think a performance improvement
could be achieved somehow. You could get rid of 2 of them by having one as
shellcode being the content match and the other payload before moving into
PCRE.

On 20 May 2011 16:10, Lay, James <james.lay () wincofoods com> wrote:

> The rule:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE
> unescape encoded shellcode"; flow:to_client,established; content:"unescape";
> fast_pattern:only;
> pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi";
> pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}/smi";
> classtype:shellcode-detect; sid:10505; rev:3;)
>
>
>
> The hit:
>
> 05/20-09:07:31.610475  [**] [1:10505:3] SHELLCODE unescape encoded
> shellcode [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 74.125.227.18:80 -> INT.IP:57562
>
>
>
> The file:
>
> wget http://maps.gstatic.com/intl/en_us/mapfiles/341a/maps2.api/main.js
>
>
> ------------------------------------------------------------------------------
> What Every C/C++ and Fortran developer Should Know!
> Read this article and learn how Intel has extended the reach of its
> next-generation tools to help Windows* and Linux* C/C++ and Fortran
> developers boost performance applications - including clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users