[Snort-sigs] rule 1667 should be replaced

Joseph Gama josephgama at ...144...
Tue Jul 27 13:59:25 EDT 2004


Rule 1667 has many flaws:
1-spaces between keywords are not considered
2-SRC doesn't have to follow IMG
3-javascript might have ', " or nothing
4-in IE it is possible to obfuscate the keyword
javascript with any number of chars x09 to 0x13

This is my proposal for replacement:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML
Image tag set to javascript attempt with SRC";
classtype:web-application-attack; sid:1667; rev:6;)

It considers all of the problems cited above.


Joseph Gama

Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

More information about the Snort-sigs mailing list