[Snort-sigs] Javascript in UA

James Lay jlay at ...3266...
Mon Apr 22 15:45:04 EDT 2013


On 2013-04-22 13:43, Nick Randolph wrote:
> I would use fast_pattern:only;
>
> On Mon, Apr 22, 2013 at 3:21 PM, James Lay <jlay at ...3266...
> [7]> wrote:
>
>> Saw this a while ago..thought Id sig it up:
>>
>> alert tcp $EXTERNAL_NET any  -> $HTTP_SERVERS $HTTP_PORTS
>> (msg:"SERVER-WEBAPP JavaScript in User-Agent, possible XSS";
>> content:"User-Agent|3A| <script>"; http_header; fast_pattern;
>>
> 
> reference:url,http://blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html
>> [1];
>> classtype:web-application-attack; sid:10000048; rev:1;)
>>
>> As always, any advice that would make my sigs suck less would help
>> :D
>> Thanks...and happy Monday (queue groans).
>>
>> James

Thanks Randolph!

James




More information about the Snort-sigs mailing list