Snort mailing list archives
Microsoft Windows ShellExecute and IE7 url handling code execution
From: Guise McAllaster <guise.mcallaster () gmail com>
Date: Fri, 8 Jan 2010 19:47:52 +0000
I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt" not perform well. It is takes 15-20 times more processing to check it than most rule. Here is what it has: flow:to_client,established; content:".com"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i"; Can it be split up (mailto, telnet, news, nntp, snews) to add more content match then just ".com"? ".com" will match on all web pages with links to .com URLs and will cause the PCRE engine to engage. along with a greedy wildcard. Other performance changes are welcome ass well. Thanks. Guise
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Microsoft Windows ShellExecute and IE7 url handling code execution Guise McAllaster (Jan 08)
- Re: Microsoft Windows ShellExecute and IE7 url handling code execution Guise McAllaster (Jan 14)
- Re: Microsoft Windows ShellExecute and IE7 url handling code execution Matt Olney (Jan 15)