Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sid:13272; rule is not so good

From: Miso Patel <miso.patel () gmail com>
Date: Tue, 6 Dec 2011 15:51:52 -0600
Thank you RMKML for pointing me to that site.  I see why this could be
a problem and matching needs to be done on it.  I also found these
"bugtraq" links:

http://www.securityfocus.com/bid/15131
http://www.securityfocus.com/bid/22616
http://www.securityfocus.com/bid/35553

Scary stuff!  I'm glad I've only got a few years until retirements
because I don't know what threat landscapes will be like in five
years.  Just mostly kidding.  Say, if you buy VRT rules, do you get
support to the point that they can guarantee no bad rules or at least
fix them quick so we don't have to wait until the next release?  I
would like to use a rules that are updated very often because I see
that what we are threatened with this week is not a threat to us
anymore the next week so I need something more than a, 'hey, patch MS
tuesday is here so here are a few rules to detect an wild exploit'
type thing.

Thanks.

Miso, CISO

On 12/6/11, rmkml <rmkml () yahoo fr> wrote:

These are good questions! (can be as complicated as to why so much bad/low
as detection programs with why so many these software have security holes
...)
Maybe more information on exploits bugtraq references?:
  http://www.securityfocus.com/bid/25053/exploit
  http://www.securityfocus.com/bid/25945/exploit
Regards
Rmkml


On Tue, 6 Dec 2011, Miso Patel wrote:


Thanks you.  I am not sure what SEU is but this (along with year end
projects and future planning for 2012/goals) has got me thinking ...
why then did this rule make it into the release to begin with?  What
UAT does the rules go thru?

For a while now I have been thinking about and have not yet pulled the
trigger on the Emerging Threats Pro rules?  Does anyone have
experience with these or recommend them?  I am getting tired of my
engineers coming to me and showing such bad snort performance
profiling from VRT rules.  There has to be a better way and I don't
have the staff/budget to hire my own IDS QA special engineer right
now.

Thanks.

Miso, CISO

On 12/6/11, rmkml <rmkml () yahoo fr> wrote:

Hi Miso,
Can you upgrade this rule to last revision (5) please?
Appear on SEU 501 at 22 sep 2011.
Regards
Rmkml


On Tue, 6 Dec 2011, Miso Patel wrote:


My engineers say rule sid:13272; is not performing good.  Here is it:

misc.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"MISC Microsoft Windows ShellExecute and IE7 mailto url handling
code execution attempt"; flow:to_client,established;
content:"mailto|3A|";
pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy
security-ips drop, service http; reference:bugtraq,25945;
reference:cve,2007-3896;
reference:url,www.microsoft.com/technet/security/advisory/943521.mspx;
reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx;
classtype:attempted-user; sid:13272; rev:3;)

They say it is just a 'mailto:&apos; match (which seems common with the web
pages these days) and then a "Regular Expression" which is causing our
sensors to not like it and CPU is consumed.

I know we run a slightly older rules (due to antiquated hardware,
corporate bureaucratic red tape, etc.) but are all these rules so bad?
My engineers say this is not good and I wonder if we are detecting on
what we need to or if there are dropped packets due to so much bad
rules using CPU and RAM?  Is there a better rule list I can use for my
sensors?

Thank you.

Miso, CISO








------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: