[Snort-sigs] bad rule

Justin Heath justin.heath at ...2420...
Sun Jul 30 11:16:22 EDT 2006


Wally,

This syntax is allowed. Was snort complaining about the rule? If so,
what was the error and what version are you running?

Thanks,
Justin  Heath

On 7/28/06, Gentoo-Wally <gentoowally at ...2420...> wrote:
> Just updated my community set and the following rule has a syntax error...
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"COMMUNITY WEB-PHP Horde index.php show XSS attempt";
> flow:established,to_server; uricontent:"/services/help/index.php";
> nocase:; uricontent:"show="; nocase:; uricontent:"URL=javascript";
> nocase:; reference:bugtraq,18845; classtype:web-application-attack;
> sid:100000703; rev:1;)
>
> Should be....
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"COMMUNITY WEB-PHP Horde index.php show XSS attempt";
> flow:established,to_server; uricontent:"/services/help/index.php";
> nocase; uricontent:"show="; nocase; uricontent:"URL=javascript";
> nocase; reference:bugtraq,18845; classtype:web-application-attack;
> sid:100000703; rev:1;)
>
> changed the three nocase:; to nocase;
>
> wally
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list