https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691491#M92335 <HTML><HEAD></HEAD><BODY><P>It actually fires on <SCRIPT> ... </SCRIPT> in the header. There's probably more to the alert context tat what you have pasted there. If you enable "Produce Verbose Alert" as an action for that sig, you will see the trigger packet in the alert, and that should contain the "script ... /script"</P></BODY></HTML> Thu, 21 Sep 2006 16:34:02 GMT wsulym 2006-09-21T16:34:02Z https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691490#M92334 <P>This signature appears to be looking for script markers in the header, but is firing on just the presence of 'script' which is not a problem. Example:</P><P></P><P>000000 47 45 54 20 2F 42 75 72 73 74 69 6E 67 53 63 72 GET /BurstingScr</P><P>000010 69 70 74 2F 61 64 64 69 6E 65 79 65 2E 6A 73 20 ipt/addineye.js </P><P>000020 48 54 54 50 2F 31 2E 31 0D HTTP/1.1.</P> Sun, 10 Mar 2019 10:14:04 GMT https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691490#M92334 jkell 2019-03-10T10:14:04Z https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691491#M92335 <HTML><HEAD></HEAD><BODY><P>It actually fires on <SCRIPT> ... </SCRIPT> in the header. There's probably more to the alert context tat what you have pasted there. If you enable "Produce Verbose Alert" as an action for that sig, you will see the trigger packet in the alert, and that should contain the "script ... /script"</P></BODY></HTML> Thu, 21 Sep 2006 16:34:02 GMT https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691491#M92335 wsulym 2006-09-21T16:34:02Z https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691492#M92336 <HTML><HEAD></HEAD><BODY><P>OK, changed and re-baited the hook. Awaiting the next fish...</P></BODY></HTML> Thu, 21 Sep 2006 19:05:01 GMT https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691492#M92336 jkell 2006-09-21T19:05:01Z https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691493#M92337 <HTML><HEAD></HEAD><BODY><P>Got one: the script is in the Referer: tag (sort of).</P><P></P><P></P><P></P><P> </P><P></P></BODY></HTML> Thu, 21 Sep 2006 19:47:53 GMT https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691493#M92337 jkell 2006-09-21T19:47:53Z https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691494#M92338 <HTML><HEAD></HEAD><BODY><P>Well, doesn't look malicious at all. Not that I was having all sorts of luck finding out much about it, but from what I could find, looks like a click thru banner ad. Just looks like its feeding some benign information into the javascript banner generator.</P><P></P><P>I will update the benign triggers section of the signasture accordingly.</P></BODY></HTML> Fri, 22 Sep 2006 19:13:26 GMT https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691494#M92338 wsulym 2006-09-22T19:13:26Z https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691495#M92339 <HTML><HEAD></HEAD><BODY><P>Isn't the signature designed to basically just look at the URI content? Can you adjust the regexp to locate script tags before the <CR><LF> terminator?</LF></CR></P></BODY></HTML> Fri, 22 Sep 2006 22:46:29 GMT https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691495#M92339 jkell 2006-09-22T22:46:29Z https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691496#M92340 <HTML><HEAD></HEAD><BODY><P>No, 5432-0 is looking for script tags anywhere in the entire header. You may be thinking of the other XSS sigs. 5232-x sigs look for script in the uri and arguments only.</P></BODY></HTML> Sat, 23 Sep 2006 14:47:36 GMT https://community.cisco.com/t5/network-security/fps-sig-5432-script-in-http-header/m-p/691496#M92340 wsulym 2006-09-23T14:47:36Z