[Snort-sigs] Javascript in UA

James Lay jlay at ...3266...
Mon Apr 22 16:27:39 EDT 2013


On 2013-04-22 14:18, Joel Esler wrote:
> James,
>
> Nick took this and cleaned up and I put it in the system with the SID
> 26483.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
> (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS
> attempt"; flow:to_server,established; content:"User-Agent|3A|
> <SCRIPT>"; fast_pattern:only; http_header; metadata:policy
> balanced-ips drop, policy security-ips drop, ruleset community,
> service http;
> 
> reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html
> [11]; classtype:web-application-attack; sid:26483; rev:1;)
>
> --
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>


Thanks Joel!

James




More information about the Snort-sigs mailing list