[Snort-sigs] duplicate rules

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Wed Jun 5 08:12:06 EDT 2002


using the same SID, at least
 
web-misc.rules:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
cross site scripting attempt"; flow:to_server,established;
content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497;
rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL
cross site scripting attempt"; flow:to_server,established;
content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497;
rev:6;)
 
AND
 
web-misc.rules:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
cross site scripting \(img src=javascript\) attempt";
flow:to_server,established; content:"img src=javascript"; nocase;
classtype:web-application-attack; sid:1667; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL cross
site scripting \(img src=javascript\) attempt"; flow:to_server,established;
content:"img src=javascript"; nocase; classtype:web-application-attack;
sid:1667;  rev:3;)
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020605/5b19fc70/attachment.html>


More information about the Snort-sigs mailing list