[Snort-devel] Getting lots of hits on sid:1841

Russell Fulton r.fulton at ...1343...
Wed Sep 4 09:19:02 EDT 2002


Hi,
	I am running 1.9beta6 with current rule sets and I seeming lots
(up to dozens per hour from several different servers) of hits on this
rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPERIMENTAL
WEB-CLIENT javascript URL host spoofing attempt";
flow:to_client,es\tablished; content:"javascript\://"; nocase;
classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)

I strongly suspect that these are false +ves but I can not verify this
since snort never logs the packet? I have had this problem with other
versions of snort where some rules never log packets but I never got an
explaination.

Anyone got any ideas? 

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list