sid:13272; rule is not so good

[Miso Patel <miso.patel () gmail com>]

My engineers say rule sid:13272; is not performing good.  Here is it:

misc.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"MISC Microsoft Windows ShellExecute and IE7 mailto url handling
code execution attempt"; flow:to_client,established;
content:"mailto|3A|";
pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy
security-ips drop, service http; reference:bugtraq,25945;
reference:cve,2007-3896;
reference:url,www.microsoft.com/technet/security/advisory/943521.mspx;
reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx;
classtype:attempted-user; sid:13272; rev:3;)

They say it is just a 'mailto:' match (which seems common with the web
pages these days) and then a "Regular Expression" which is causing our
sensors to not like it and CPU is consumed.

I know we run a slightly older rules (due to antiquated hardware,
corporate bureaucratic red tape, etc.) but are all these rules so bad?
 My engineers say this is not good and I wonder if we are detecting on
what we need to or if there are dropped packets due to so much bad
rules using CPU and RAM?  Is there a better rule list I can use for my
sensors?

Thank you.

Miso, CISO

------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!