WEB-CLIENT javascript URL host spoofing attempt

["Schmehl, Paul L" <pauls () utdallas edu>]

Is anyone solidly knowledgeable of this rule?  The reason that I ask is
that I've gotten a high number of hits on this rule, but they're to a
site that I *know* our users are using frequently - (our local credit
union.)  I don't *think* this is "bad" activity, so I'm wondering what
trips the rule?  (And before you respond "RTFM!!", read on.)

I see that the rule states "content:"javascript\://", and I've read the
bugtraq discussion about stealing cookies.  What I'm wondering is if
this rule can be triggered by "normal" Javascript.  I'm certain the
credit union uses cookies, and I'm equally certain they access those
cookies when you visit their site.  Is this bad code on their part?  Or
is this rule subject to false positives?

I'm also wondering if the content for this rule shouldn't be
"javascript://\" (or simply "javascript:/\") rather than what it is.

Sorry, but I don't have any payload data.  I can't seem to get acid to
bring it up and what I get from the database (using mysql commands) is a
bunch of hex  that appears like encrypted data to me.  Even with hexdump
it's all hex.  (Here's the first sixteen lines, if that helps anyone.)

00000000  34 38 35 34 35 34 35 30  32 46 33 31 32 45 33 31
|485454502F312E31|
00000010  32 30 33 32 33 30 33 30  32 30 34 46 34 42 30 44
|20323030204F4B0D|
00000020  30 41 35 33 36 35 37 32  37 36 36 35 37 32 33 41
|0A5365727665723A|
00000030  32 30 34 45 36 35 37 34  37 33 36 33 36 31 37 30
|204E657473636170|
00000040  36 35 32 44 34 35 36 45  37 34 36 35 37 32 37 30
|652D456E74657270|
00000050  37 32 36 39 37 33 36 35  32 46 33 36 32 45 33 30
|726973652F362E30|
00000060  30 44 30 41 34 34 36 31  37 34 36 35 33 41 32 30
|0D0A446174653A20|
00000070  34 44 36 46 36 45 32 43  32 30 33 31 33 37 32 30
|4D6F6E2C20313720|
00000080  34 36 36 35 36 32 32 30  33 32 33 30 33 30 33 33
|4665622032303033|
00000090  32 30 33 31 33 35 33 41  33 32 33 33 33 41 33 34
|2031353A32333A34|
000000a0  33 39 32 30 34 37 34 44  35 34 30 44 30 41 34 33
|3920474D540D0A43|
000000b0  36 46 36 45 37 34 36 35  36 45 37 34 32 44 37 34
|6F6E74656E742D74|
000000c0  37 39 37 30 36 35 33 41  32 30 37 34 36 35 37 38
|7970653A20746578|
000000d0  37 34 32 46 36 38 37 34  36 44 36 43 30 44 30 41
|742F68746D6C0D0A|
000000e0  34 35 37 34 36 31 36 37  33 41 32 30 32 32 33 31
|457461673A202231|
000000f0  33 39 36 36 33 39 33 33  36 33 33 31 36 35 32 44
|396639336331652D|

Paul Schmehl (pauls () utdallas edu)
"The slapper worm variants don't go to
netcraft and ask 'what's that site 
running' before they root you."
Richard Updegrove - 12/7/2002 


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users