[Snort-users] WEB-CLIENT javascript URL host spoofing attempt

Shane Hickey shane at ...5522...
Tue Nov 26 08:20:02 EST 2002


Howdy, I've been noticing this rule matching fairly regularly, so I did
some reading on the BugTraq site.  It seems to me that an exploit would
need to have "javascript://some.domain.com/" in the packet.  However,
the snort rule just matches "javascript\://".  It seems that this is
matching a lot of legitimate javascript?  Please keep in mind, though,
that I know nothing about javascript.  I'm also crappy with regular
expressions, but what would be the expression for matching
"javascript\://N" where N is anything but whitespace?

Shane





More information about the Snort-users mailing list