Snort mailing list archives
Re: sid:13272; rule is not so good
From: Miso Patel <miso.patel () gmail com>
Date: Tue, 6 Dec 2011 15:51:52 -0600
Thank you RMKML for pointing me to that site. I see why this could be a problem and matching needs to be done on it. I also found these "bugtraq" links: http://www.securityfocus.com/bid/15131 http://www.securityfocus.com/bid/22616 http://www.securityfocus.com/bid/35553 Scary stuff! I'm glad I've only got a few years until retirements because I don't know what threat landscapes will be like in five years. Just mostly kidding. Say, if you buy VRT rules, do you get support to the point that they can guarantee no bad rules or at least fix them quick so we don't have to wait until the next release? I would like to use a rules that are updated very often because I see that what we are threatened with this week is not a threat to us anymore the next week so I need something more than a, 'hey, patch MS tuesday is here so here are a few rules to detect an wild exploit' type thing. Thanks. Miso, CISO On 12/6/11, rmkml <rmkml () yahoo fr> wrote:
These are good questions! (can be as complicated as to why so much bad/low as detection programs with why so many these software have security holes ...) Maybe more information on exploits bugtraq references?: http://www.securityfocus.com/bid/25053/exploit http://www.securityfocus.com/bid/25945/exploit Regards Rmkml On Tue, 6 Dec 2011, Miso Patel wrote:Thanks you. I am not sure what SEU is but this (along with year end projects and future planning for 2012/goals) has got me thinking ... why then did this rule make it into the release to begin with? What UAT does the rules go thru? For a while now I have been thinking about and have not yet pulled the trigger on the Emerging Threats Pro rules? Does anyone have experience with these or recommend them? I am getting tired of my engineers coming to me and showing such bad snort performance profiling from VRT rules. There has to be a better way and I don't have the staff/budget to hire my own IDS QA special engineer right now. Thanks. Miso, CISO On 12/6/11, rmkml <rmkml () yahoo fr> wrote:Hi Miso, Can you upgrade this rule to last revision (5) please? Appear on SEU 501 at 22 sep 2011. Regards Rmkml On Tue, 6 Dec 2011, Miso Patel wrote:My engineers say rule sid:13272; is not performing good. Here is it: misc.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Microsoft Windows ShellExecute and IE7 mailto url handling code execution attempt"; flow:to_client,established; content:"mailto|3A|"; pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy security-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,www.microsoft.com/technet/security/advisory/943521.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx; classtype:attempted-user; sid:13272; rev:3;) They say it is just a 'mailto:' match (which seems common with the web pages these days) and then a "Regular Expression" which is causing our sensors to not like it and CPU is consumed. I know we run a slightly older rules (due to antiquated hardware, corporate bureaucratic red tape, etc.) but are all these rules so bad? My engineers say this is not good and I wonder if we are detecting on what we need to or if there are dropped packets due to so much bad rules using CPU and RAM? Is there a better rule list I can use for my sensors? Thank you. Miso, CISO
------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- sid:13272; rule is not so good Miso Patel (Dec 06)
- Re: sid:13272; rule is not so good Joel Esler (Dec 06)
- Re: sid:13272; rule is not so good rmkml (Dec 06)
- Re: sid:13272; rule is not so good Miso Patel (Dec 06)
- Re: sid:13272; rule is not so good rmkml (Dec 06)
- Re: sid:13272; rule is not so good Miso Patel (Dec 06)
- Re: sid:13272; rule is not so good rmkml (Dec 06)
- Re: sid:13272; rule is not so good Will Metcalf (Dec 06)
- Re: sid:13272; rule is not so good Miso Patel (Dec 06)
- Re: sid:13272; rule is not so good Joel Esler (Dec 06)