Snort mailing list archives
WEB-CLIENT javascript URL host spoofing attempt
From: Shane Hickey <shane () howsyournetwork com>
Date: 26 Nov 2002 09:19:14 -0700
Howdy, I've been noticing this rule matching fairly regularly, so I did some reading on the BugTraq site. It seems to me that an exploit would need to have "javascript://some.domain.com/" in the packet. However, the snort rule just matches "javascript\://". It seems that this is matching a lot of legitimate javascript? Please keep in mind, though, that I know nothing about javascript. I'm also crappy with regular expressions, but what would be the expression for matching "javascript\://N" where N is anything but whitespace? Shane ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-CLIENT javascript URL host spoofing attempt Shane Hickey (Nov 26)