Snort mailing list archives
RE: More sid 1841
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 21 Feb 2003 13:52:04 -0600
Thanks for the clarification, Matt. Did I misunderstand the exploit? I *thought* it was the backslash at the end of the javascript call that was causing the problem. The exploit example has: "javascript://{url-here}\n". I didn't catch that the problem was the two forward slashes at the beginning of the string. BTW, not to be picky, but this rule is *not* marked EXPERIMENTAL. It's in the web-client.rules file, and there's no indication that it is an experimental rule. Also, I'd take issue with your statement that it is "an unusual, but safe, piece of javascript". It's apparently pretty common practice. Just one site trips that rule enough times to make the top fifteen source destinations for alerts, and *that* site I *know* is not doing anything "evil". That one rule accounts for 5% of the total alerts in acid - some 15,253 alerts over 10 days. I guess I'll disable it. :-( Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ -----Original Message----- From: Matt Kettler [mailto:mkettler () EVI-INC COM] Sent: Friday, February 21, 2003 12:57 PM To: Schmehl, Paul L; snort-users () lists sourceforge net Subject: Re: [Snort-users] More sid 1841 At 12:03 AM 2/21/2003 -0600, Schmehl, Paul L wrote: Unfortunately javascript:// is safe in a few cases, but dangerous in a lot of others. There's no good way for a snort rule to tell the difference between a hostile attack, and an unusual, but safe, piece of javascript. This is very true of a lot of snort rules. ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More sid 1841 Schmehl, Paul L (Feb 20)
- <Possible follow-ups>
- Re: More sid 1841 Kenneth G. Arnold (Feb 21)
- Re: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 -experimental? Matt Kettler (Feb 21)
- Re: More sid 1841 Michael Boman (Feb 22)
- Re: More sid 1841 Matt Kettler (Feb 22)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 22)