09-21-2006 07:05 AM - edited 03-10-2019 03:14 AM
This signature appears to be looking for script markers in the header, but is firing on just the presence of 'script' which is not a problem. Example:
000000 47 45 54 20 2F 42 75 72 73 74 69 6E 67 53 63 72 GET /BurstingScr
000010 69 70 74 2F 61 64 64 69 6E 65 79 65 2E 6A 73 20 ipt/addineye.js
000020 48 54 54 50 2F 31 2E 31 0D HTTP/1.1.
09-21-2006 09:34 AM
It actually fires on in the header. There's probably more to the alert context tat what you have pasted there. If you enable "Produce Verbose Alert" as an action for that sig, you will see the trigger packet in the alert, and that should contain the "script ... /script"
09-21-2006 12:05 PM
OK, changed and re-baited the hook. Awaiting the next fish...
09-21-2006 12:47 PM
09-22-2006 12:13 PM
Well, doesn't look malicious at all. Not that I was having all sorts of luck finding out much about it, but from what I could find, looks like a click thru banner ad. Just looks like its feeding some benign information into the javascript banner generator.
I will update the benign triggers section of the signasture accordingly.
09-22-2006 03:46 PM
Isn't the signature designed to basically just look at the URI content? Can you adjust the regexp to locate script tags before the
09-23-2006 07:47 AM
No, 5432-0 is looking for script tags anywhere in the entire header. You may be thinking of the other XSS sigs. 5232-x sigs look for script in the uri and arguments only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide