[Snort-sigs] WEB-MISC cross site scripting attempt - false positive addition

Nigel Houghton nigel at ...435...
Wed Aug 4 23:41:01 EDT 2004

On  0, "G. Panula" <greg.panula at ...2688...> allegedly wrote:
> --
> Sid: 1497
> --
> Summary:  This event is generated when a cross-site scripting attack is 
> being attempted, or a potential attacker is testing your site to determine 
> if it is vulnerable.
> --
> False Positives: The default 404 error page given out by IIS 5.0 triggers 
> this alert.

I would say this is covered by the existing false positive information in
the document for the rule...

False Positives:
Web pages that legimately include the <SCRIPT> tag could generate this 
event under certain circumstances.

Unless of course, there is something more to this. Looking at the rule, I
would think it won't generate an event if the $EXTERNAL_NET,
$HTTP_SERVERS and $HTTP_PORTS are set correctly.

Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

"Dude, dolphins are intelligent and friendly!" -- Wendy
"Intelligent and friendly on rye bread, with some mayonaise." -- Cartman

More information about the Snort-sigs mailing list