Rule Category

BROWSER-IE -- Snort has detected traffic known to exploit vulnerabilities present in the Internet Explorer browser, or products that have the Trident or Tasman engines.

Alert Message

BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt

Rule Explanation

This preprocessor fires when Snort detects Javascript obfuscation levels in excess of what it is configured to allow

What To Look For

Snort monitors how much obfuscation Javascripts on webpages use. When multiple levels are observed this alert is generated as excessive obfuscation is a suspicious practice.

Known Usage

Attacks/Scans seen in the wild

False Positives

Known false positives, with the described conditions

In the modern web a sizeable amount of Javascript code is obfuscated in order to keep it moderately "secret". This is a practice that should be discouraged because it makes it harder to distinguish this code from malicious code trying to avoid inspection.


Cisco Talos Intelligence Group

Rule Groups

No rule groups


Additional Links

Rule Vulnerability


Not Applicable

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
Loading description

MITRE ATT&CK Framework

Tactic: Defense Evasion

Technique: Obfuscated Files or Information

For reference, see the MITRE ATT&CK vulnerability types here: