[Snort-sigs] Javascript in UA

Nick Randolph drandolph at ...435...
Mon Apr 22 15:43:40 EDT 2013


I would use fast_pattern:only;


On Mon, Apr 22, 2013 at 3:21 PM, James Lay <jlay at ...3266...> wrote:

> Saw this a while ago..thought I'd sig it up:
>
> alert tcp $EXTERNAL_NET any  -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"SERVER-WEBAPP JavaScript in User-Agent, possible XSS";
> content:"User-Agent|3A| <script>"; http_header; fast_pattern;
> reference:url,
> http://blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html
> ;
> classtype:web-application-attack; sid:10000048; rev:1;)
>
> As always, any advice that would make my sigs suck less would help :D
> Thanks...and happy Monday (queue groans).
>
> James
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph at ...435...
Sourcefire.com <http://www.sourcefire.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130422/91320723/attachment.html>


More information about the Snort-sigs mailing list