[Snort-sigs] Avoidance of 2437.5 (WEB-CLIENT RealPlayer arbitrary javascript command attempt)

Brian bmc at ...95...
Tue Jul 6 08:04:22 EDT 2004


On Fri, Jul 02, 2004 at 06:00:00PM -0600, nnposter at ...592... wrote:
> I am proposing to follow the MIME header with "\s*" instead of "\s+":
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; 
> flow:to_client,established; content:"Content-Type|3A|"; nocase; 
> pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; 
> reference:bugtraq,8453; reference:bugtraq,9738; 
> reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:6;)

yep




More information about the Snort-sigs mailing list