WEB-CLIENT javascript URL host spoofing attempt

[Shane Hickey <shane () howsyournetwork com>]

Howdy, I've been noticing this rule matching fairly regularly, so I did
some reading on the BugTraq site.  It seems to me that an exploit would
need to have "javascript://some.domain.com/" in the packet.  However,
the snort rule just matches "javascript\://".  It seems that this is
matching a lot of legitimate javascript?  Please keep in mind, though,
that I know nothing about javascript.  I'm also crappy with regular
expressions, but what would be the expression for matching
"javascript\://N" where N is anything but whitespace?

Shane



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users