[Snort-sigs] sid:1841 / Question about within: x

nard nard at ...2038...
Wed Nov 26 04:26:12 EST 2003

I am seeing some FP's on sid 1841, so am attempting improve the rule to
match on more than just "javascript://" in any traffic on TCP:80. This
is more for a learning exercise than anything else.

On further inspection of the vulnerability, successful exploitation
requires a line of code containing the following 3 things without any
whitespace between them.

o javascript://
o some domain name
o \n
eg... javascript://www.somedomain.com\n 

Therefore a good rule would search for something like the following.

content:!" "; \
between; content:"javascript://"; \
and content:"\\n"

Obviously I have made up the "between" keyword / syntax to express my
point, how do I specify this in valid rule language?

I have worked around this at present by using within:15; (see below),
however I am not really happy about how this works as it will not
trigger with short domain names.

Also, I notice there are a few more keywords available in snort current
that what I have seen in the past. Can someone point me to a verbose
document that explains them?


More information about the Snort-sigs mailing list