Snort mailing list archives
WEB-CLIENT javascript URL host spoofing attempt
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 20 Feb 2003 21:46:33 -0600
Is anyone solidly knowledgeable of this rule? The reason that I ask is that I've gotten a high number of hits on this rule, but they're to a site that I *know* our users are using frequently - (our local credit union.) I don't *think* this is "bad" activity, so I'm wondering what trips the rule? (And before you respond "RTFM!!", read on.) I see that the rule states "content:"javascript\://", and I've read the bugtraq discussion about stealing cookies. What I'm wondering is if this rule can be triggered by "normal" Javascript. I'm certain the credit union uses cookies, and I'm equally certain they access those cookies when you visit their site. Is this bad code on their part? Or is this rule subject to false positives? I'm also wondering if the content for this rule shouldn't be "javascript://\" (or simply "javascript:/\") rather than what it is. Sorry, but I don't have any payload data. I can't seem to get acid to bring it up and what I get from the database (using mysql commands) is a bunch of hex that appears like encrypted data to me. Even with hexdump it's all hex. (Here's the first sixteen lines, if that helps anyone.) 00000000 34 38 35 34 35 34 35 30 32 46 33 31 32 45 33 31 |485454502F312E31| 00000010 32 30 33 32 33 30 33 30 32 30 34 46 34 42 30 44 |20323030204F4B0D| 00000020 30 41 35 33 36 35 37 32 37 36 36 35 37 32 33 41 |0A5365727665723A| 00000030 32 30 34 45 36 35 37 34 37 33 36 33 36 31 37 30 |204E657473636170| 00000040 36 35 32 44 34 35 36 45 37 34 36 35 37 32 37 30 |652D456E74657270| 00000050 37 32 36 39 37 33 36 35 32 46 33 36 32 45 33 30 |726973652F362E30| 00000060 30 44 30 41 34 34 36 31 37 34 36 35 33 41 32 30 |0D0A446174653A20| 00000070 34 44 36 46 36 45 32 43 32 30 33 31 33 37 32 30 |4D6F6E2C20313720| 00000080 34 36 36 35 36 32 32 30 33 32 33 30 33 30 33 33 |4665622032303033| 00000090 32 30 33 31 33 35 33 41 33 32 33 33 33 41 33 34 |2031353A32333A34| 000000a0 33 39 32 30 34 37 34 44 35 34 30 44 30 41 34 33 |3920474D540D0A43| 000000b0 36 46 36 45 37 34 36 35 36 45 37 34 32 44 37 34 |6F6E74656E742D74| 000000c0 37 39 37 30 36 35 33 41 32 30 37 34 36 35 37 38 |7970653A20746578| 000000d0 37 34 32 46 36 38 37 34 36 44 36 43 30 44 30 41 |742F68746D6C0D0A| 000000e0 34 35 37 34 36 31 36 37 33 41 32 30 32 32 33 31 |457461673A202231| 000000f0 33 39 36 36 33 39 33 33 36 33 33 31 36 35 32 44 |396639336331652D| Paul Schmehl (pauls () utdallas edu) "The slapper worm variants don't go to netcraft and ask 'what's that site running' before they root you." Richard Updegrove - 12/7/2002 ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-CLIENT javascript URL host spoofing attempt Schmehl, Paul L (Feb 20)