[Snort-devel] Getting lots of hits on sid:1841

Chris Green cmg at ...402...
Wed Sep 4 10:35:04 EDT 2002


Russell Fulton <r.fulton at ...1343...> writes:

> Hi,
> 	I am running 1.9beta6 with current rule sets and I seeming lots
> (up to dozens per hour from several different servers) of hits on this
> rule:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPERIMENTAL
> WEB-CLIENT javascript URL host spoofing attempt";
> flow:to_client,es\tablished; content:"javascript\://"; nocase;
> classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)
>
> I strongly suspect that these are false +ves but I can not verify this
> since snort never logs the packet? I have had this problem with other
> versions of snort where some rules never log packets but I never got an
> explaination.

Whats your command line / log output system?

[ follow up to snort-devel ]
-- 
Chris Green <cmg at ...402...>
Warning: time of day goes back, taking countermeasures.





More information about the Snort-devel mailing list