[Snort-sigs] False positive in snort rule "WEB-CLIENT Javascript URL host spoofing attempt"

Richard Bennett richard.bennett at ...1841...
Wed Feb 11 09:19:37 EST 2004

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

[**] [1:1841:3] WEB-CLIENT Javascript URL host spoofing attempt [**]


False positives using Sherlock under Mac OS X 10.3
Detailed Information:
Using Sherlock under Mac OS X 10.3 gives this message:
[Classification: Attempted User Privilege Gain] [Priority: 1]
02/10-20:09:39.336518 -> 192.168.123.xxx:62323
TCP TTL:112 TOS:0x80 ID:8065 IpLen:20 DgmLen:1269 DF
***A**** Seq: 0xC38A0590  Ack: 0xA44D71C4  Win: 0xFDF0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 27881030 2326570985
[Xref => http://www.securityfocus.com/bid/5293]
Affected Systems:
Mac OS X 10.3 running Sherlock
Attack Scenarios:
Ease of Attack:
False Positives:

False Negatives:
Corrective Action:
I don't know.

Additional References:

More information about the Snort-sigs mailing list