[Snort-sigs] False positive in snort rule "WEB-CLIENT Javascript URL host spoofing attempt"

Richard Bennett richard.bennett at ...1841...
Wed Feb 11 09:19:37 EST 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
[**] [1:1841:3] WEB-CLIENT Javascript URL host spoofing attempt [**]

--
Sid:

--
Summary:
False positives using Sherlock under Mac OS X 10.3
--
Impact:
Minimal
--
Detailed Information:
Using Sherlock under Mac OS X 10.3 gives this message:
[Classification: Attempted User Privilege Gain] [Priority: 1]
02/10-20:09:39.336518 209.202.216.25:80 -> 192.168.123.xxx:62323
TCP TTL:112 TOS:0x80 ID:8065 IpLen:20 DgmLen:1269 DF
***A**** Seq: 0xC38A0590  Ack: 0xA44D71C4  Win: 0xFDF0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 27881030 2326570985
[Xref => http://www.securityfocus.com/bid/5293]
--
Affected Systems:
Mac OS X 10.3 running Sherlock
--
Attack Scenarios:
None.
--
Ease of Attack:
N/A
--
False Positives:

--
False Negatives:
Yes.
--
Corrective Action:
I don't know.
--
Contributors:

-- 
Additional References:





More information about the Snort-sigs mailing list