Snort mailing list archives

Microsoft Windows ShellExecute and IE7 url handling code execution

From: Guise McAllaster <guise.mcallaster () gmail com>
Date: Fri, 8 Jan 2010 19:47:52 +0000

I am seeing rule "MISC Microsoft Windows ShellExecute and IE7 url handling
code execution attempt" not perform well.  It is takes 15-20 times more
processing to check it than most rule.  Here  is what it has:

flow:to_client,established; content:".com"; nocase;
pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i";

Can it be split up (mailto, telnet, news, nntp, snews) to add more content
match then just ".com"?  ".com" will match on all web pages with links to
.com URLs and will cause the PCRE engine to engage. along with a greedy
wildcard.   Other performance changes are welcome ass well.

Thanks.

Guise

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Microsoft Windows ShellExecute and IE7 url handling code execution Guise McAllaster (Jan 08)
- Re: Microsoft Windows ShellExecute and IE7 url handling code execution Guise McAllaster (Jan 14)
- Re: Microsoft Windows ShellExecute and IE7 url handling code execution Matt Olney (Jan 15)