Being killed by poor IE rules...

[Guise McAllaster <guise.mcallaster () gmail com>]

Hello.  The rules with SID 14645, 14643, 11966 are hammering my web
snorts.  The first two are GID:3 so I cannot be of help in making them
more good :( but the last one is this:



web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption
attempt"; flow:to_client,established;
pcre:"/\x3c[^\x3e]*style=[^\x3e]*csstext\x3a.*\x3e/i";
reference:bugtraq,24423; reference:cve,2007-1750;
reference:url,www.microsoft.com/technet/security/Bulletin/MS07-033.mspx;
classtype:attempted-user; sid:11966; rev:1;



Clearly the naked pcre is big no-no.  Here are some stats from
performance (notice how terrible it is):



SID     GID     Checks   Matches    Alerts           Microsecs  Avg/Check
 Avg/Match Avg/Nonmatch   Disabled

===     ===     ======   =======    ======               =====  =========
 ========= ============   ========

14645     3     158641         0         0            11579605
73.0        0.0         73.0          0

14643     3     158641         0         0             5870863
37.0        0.0         37.0          0

11966     1    5129886         0         0             5847694
1.1        0.0          1.1          0



SID     GID     Checks   Matches    Alerts           Microsecs  Avg/Check
 Avg/Match Avg/Nonmatch   Disabled

===     ===     ======   =======    ======               =====  =========
 ========= ============   ========

14645     3      31623         0         0             3878806
122.7        0.0        122.7          0

11966     1    1506965         0         0             1656476
1.1        0.0          1.1          0

14643     3      31623         0         0             1443499
45.6        0.0         45.6          0



I am starting to wonder about the Vrt snort rules ... raw pcre with no
content? ... and these GID:3 rules? ... makes me think what they are
hiding ... it is tough to get good community feedback when the rules
are hidden/compiled.  When I see such poor performing rules it shows
me a need for a person go go thru old rules and make them more good.
And I am the perfect person for this job (if I can work from France
but I don't think that would be problem).  I already feel like
SourceFire should be paying me, with all my good suggestion ;)



Guise

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs