Snort mailing list archives
Re: Being killed by poor IE rules...
From: "Keith Butler" <snort () netoffense com>
Date: Tue, 26 Jan 2010 10:55:08 -0600 (CST)
The suggestions are enlightening and appreciated, the self-aggrandizing is getting old. ----- Original Message ----- From: "Guise McAllaster" <guise.mcallaster () gmail com> Sent: Tue, January 26, 2010 10:54 Subject:[Snort-sigs] Being killed by poor IE rules... Hello. The rules with SID 14645, 14643, 11966 are hammering my web snorts. The first two are GID:3 so I cannot be of help in making them more good :( but the last one is this: web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption attempt"; flow:to_client,established; pcre:"/\x3c[^\x3e]*style=[^\x3e]*csstext\x3a.*\x3e/i"; reference:bugtraq,24423; reference:cve,2007-1750; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-033.mspx; classtype:attempted-user; sid:11966; rev:1; Clearly the naked pcre is big no-no. Here are some stats from performance (notice how terrible it is): SID GID Checks Matches Alerts Microsecs Avg/Check Avg/Match Avg/Nonmatch Disabled === === ====== ======= ====== ===== ========= ========= ============ ======== 14645 3 158641 0 0 11579605 73.0 0.0 73.0 0 14643 3 158641 0 0 5870863 37.0 0.0 37.0 0 11966 1 5129886 0 0 5847694 1.1 0.0 1.1 0 SID GID Checks Matches Alerts Microsecs Avg/Check Avg/Match Avg/Nonmatch Disabled === === ====== ======= ====== ===== ========= ========= ============ ======== 14645 3 31623 0 0 3878806 122.7 0.0 122.7 0 11966 1 1506965 0 0 1656476 1.1 0.0 1.1 0 14643 3 31623 0 0 1443499 45.6 0.0 45.6 0 I am starting to wonder about the Vrt snort rules ... raw pcre with no content? ... and these GID:3 rules? ... makes me think what they are hiding ... it is tough to get good community feedback when the rules are hidden/compiled. When I see such poor performing rules it shows me a need for a person go go thru old rules and make them more good. And I am the perfect person for this job (if I can work from France but I don't think that would be problem). I already feel like SourceFire should be paying me, with all my good suggestion ;) Guise ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ----- End of original message ----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Being killed by poor IE rules... Guise McAllaster (Jan 26)
- <Possible follow-ups>
- Re: Being killed by poor IE rules... Keith Butler (Jan 26)
- Re: Being killed by poor IE rules... Matt Olney (Jan 26)
- Re: Being killed by poor IE rules... Guise McAllaster (Jan 27)
- Re: Being killed by poor IE rules... Matt Olney (Jan 27)
- Re: Being killed by poor IE rules... Nigel Houghton (Jan 27)
- Re: Being killed by poor IE rules. evilghost () packetmail net (Jan 27)
- Re: Being killed by poor IE rules. JJ Cummings (Jan 27)
- Re: Being killed by poor IE rules. evilghost () packetmail net (Jan 27)
- Re: Being killed by poor IE rules. JJ Cummings (Jan 27)
- Re: Being killed by poor IE rules... Matt Olney (Jan 26)
- Re: Being killed by poor IE rules. Nigel Houghton (Jan 27)
- Re: Being killed by poor IE rules... Joel Esler (Jan 27)