[Snort-sigs] Javascript in UA

James Lay jlay at ...3266...
Mon Apr 22 15:21:22 EDT 2013


Saw this a while ago..thought I'd sig it up:

alert tcp $EXTERNAL_NET any  -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"SERVER-WEBAPP JavaScript in User-Agent, possible XSS"; 
content:"User-Agent|3A| <script>"; http_header; fast_pattern; 
reference:url,http://blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; 
classtype:web-application-attack; sid:10000048; rev:1;)

As always, any advice that would make my sigs suck less would help :D  
Thanks...and happy Monday (queue groans).

James




More information about the Snort-sigs mailing list