[Snort-sigs] rule 1497 should be fixed

Joseph Gama josephgama at ...144...
Mon Jul 26 18:38:00 EDT 2004


rule 1497 will fail for 
<SCRIPT language="JavaScript">alert("hi");</SCRIPT>

It should be changed like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC cross site scripting
attempt"; flow:to_server,established;
content:"<SCRIPT"; nocase;
classtype:web-application-attack; sid:1497; rev:7;)

No spaces after SCRIPT to avoid dealing with char 20,
09, 0A, 0D or >

Peace,

Joseph


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list