Snort mailing list archives
RE: More sid 1841
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 21 Feb 2003 13:52:04 -0600
Thanks for the clarification, Matt. Did I misunderstand the exploit? I
*thought* it was the backslash at the end of the javascript call that
was causing the problem. The exploit example has:
"javascript://{url-here}\n". I didn't catch that the problem was the
two forward slashes at the beginning of the string.
BTW, not to be picky, but this rule is *not* marked EXPERIMENTAL. It's
in the web-client.rules file, and there's no indication that it is an
experimental rule. Also, I'd take issue with your statement that it is
"an unusual, but safe, piece of javascript". It's apparently pretty
common practice. Just one site trips that rule enough times to make the
top fifteen source destinations for alerts, and *that* site I *know* is
not doing anything "evil". That one rule accounts for 5% of the total
alerts in acid - some 15,253 alerts over 10 days.
I guess I'll disable it. :-(
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
-----Original Message-----
From: Matt Kettler [mailto:mkettler () EVI-INC COM]
Sent: Friday, February 21, 2003 12:57 PM
To: Schmehl, Paul L; snort-users () lists sourceforge net
Subject: Re: [Snort-users] More sid 1841
At 12:03 AM 2/21/2003 -0600, Schmehl, Paul L wrote:
Unfortunately javascript:// is safe in a few cases, but dangerous in a
lot
of others. There's no good way for a snort rule to tell the difference
between a hostile attack, and an unusual, but safe, piece of javascript.
This is very true of a lot of snort rules.
-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More sid 1841 Schmehl, Paul L (Feb 20)
- <Possible follow-ups>
- Re: More sid 1841 Kenneth G. Arnold (Feb 21)
- Re: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 -experimental? Matt Kettler (Feb 21)
- Re: More sid 1841 Michael Boman (Feb 22)
- Re: More sid 1841 Matt Kettler (Feb 22)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 22)