[Snort-sigs] rule 1497 should be fixed

Shomiron Das Gupta [NetMonastery] shomiron at ...2657...
Mon Jul 26 23:18:03 EDT 2004


Agree with you Joseph, 

Infact it could have been better if we were looking for </script> as the
latter will never change.

-shomiron

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Joseph Gama
Sent: Tuesday, July 27, 2004 7:07 AM
To: snort
Subject: [Snort-sigs] rule 1497 should be fixed


rule 1497 will fail for 
<SCRIPT language="JavaScript">alert("hi");</SCRIPT>

It should be changed like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC cross site scripting
attempt"; flow:to_server,established;
content:"<SCRIPT"; nocase;
classtype:web-application-attack; sid:1497; rev:7;)

No spaces after SCRIPT to avoid dealing with char 20,
09, 0A, 0D or >

Peace,

Joseph


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list