[Snort-sigs] rule 1497 should be fixed

Shomiron Das Gupta [NetMonastery] shomiron at ...2657...
Mon Jul 26 23:18:03 EDT 2004

Agree with you Joseph, 

Infact it could have been better if we were looking for </script> as the
latter will never change.


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Joseph Gama
Sent: Tuesday, July 27, 2004 7:07 AM
To: snort
Subject: [Snort-sigs] rule 1497 should be fixed

rule 1497 will fail for 
<SCRIPT language="JavaScript">alert("hi");</SCRIPT>

It should be changed like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC cross site scripting
attempt"; flow:to_server,established;
content:"<SCRIPT"; nocase;
classtype:web-application-attack; sid:1497; rev:7;)

No spaces after SCRIPT to avoid dealing with char 20,
09, 0A, 0D or >



Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!

This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list