[Snort-sigs] rule 1497 should be fixed

Joseph Gama josephgama at ...144...
Tue Jul 27 21:55:02 EDT 2004


Hi Shomiron,

Thank you for the feedback.
Actually I found out that </script > works in IE6,
Mozilla and probably in other browsers. But the string
<script seems to be universal.

Peace,

Joseph Gama


--- "Shomiron Das Gupta [NetMonastery]"
<shomiron at ...2657...> wrote:
> Agree with you Joseph, 
> 
> Infact it could have been better if we were looking
> for </script> as the
> latter will never change.
> 
> -shomiron
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On
> Behalf Of Joseph Gama
> Sent: Tuesday, July 27, 2004 7:07 AM
> To: snort
> Subject: [Snort-sigs] rule 1497 should be fixed
> 
> 
> rule 1497 will fail for 
> <SCRIPT language="JavaScript">alert("hi");</SCRIPT>
> 
> It should be changed like this:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
> $HTTP_PORTS (msg:"WEB-MISC cross site scripting
> attempt"; flow:to_server,established;
> content:"<SCRIPT"; nocase;
> classtype:web-application-attack; sid:1497; rev:7;)
> 
> No spaces after SCRIPT to avoid dealing with char
> 20,
> 09, 0A, 0D or >
> 
> Peace,
> 
> Joseph
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic
> Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1
> today.
>
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list