[Snort-devel] Getting lots of hits on sid:1841

Russell Fulton r.fulton at ...1343...
Wed Sep 4 09:19:02 EDT 2002

	I am running 1.9beta6 with current rule sets and I seeming lots
(up to dozens per hour from several different servers) of hits on this

WEB-CLIENT javascript URL host spoofing attempt";
flow:to_client,es\tablished; content:"javascript\://"; nocase;
classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)

I strongly suspect that these are false +ves but I can not verify this
since snort never logs the packet? I have had this problem with other
versions of snort where some rules never log packets but I never got an

Anyone got any ideas? 

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the Snort-devel mailing list