[Snort-sigs] EXPERIMENTAL WEB-CLIENT javascript URL host spoofing attempt

Svein Erik Søberg ses at ...1152...
Mon Jan 6 06:17:03 EST 2003


>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPERIMENTAL 
>WEB-CLIENT javascript URL host spoofing attempt"; 
>flow:to_client,established; content:"javascript\://"; 
>content:!"javascript\://\"";nocase; classtype:attempted-user; 
>reference:bugtraq,5293; sid:1001841; rev:1;)


In case someone is interested:

I substituted the old rule with the above one, and ran an old log I've saved.
The number of alerts were reduced from 102 to 24.

The remaining alerts all contain some variations of 'href="javascript://Scroll up"' (or 'Privacy', 'Disclaimer' and so on).


Svein Erik Søberg




More information about the Snort-sigs mailing list