[Snort-sigs] Javascript in UA

rmkml rmkml at ...174...
Mon Apr 22 16:28:57 EDT 2013


Hi,

Well, I prefer searching < or %3c on User-Agent... (ok it's more cpu intensive)

Created on my own rule set after research on CVE-2006-2558 (around jul 2011).

Best Regards
Rmkml

http://twitter.com/rmkml


On Mon, 22 Apr 2013, Joel Esler wrote:

> James,
> Nick took this and cleaned up and I put it in the system with the SID 26483.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; content:"User-Agent|3A| <SCRIPT>";
> fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;
> reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:1;)
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> On Apr 22, 2013, at 3:43 PM, Nick Randolph <drandolph at ...435...> wrote:
>
>       I would use fast_pattern:only;
> 
> 
> On Mon, Apr 22, 2013 at 3:21 PM, James Lay <jlay at ...3266...> wrote:
>       Saw this a while ago..thought I'd sig it up:
>
>       alert tcp $EXTERNAL_NET any  -> $HTTP_SERVERS $HTTP_PORTS
>       (msg:"SERVER-WEBAPP JavaScript in User-Agent, possible XSS";
>       content:"User-Agent|3A| <script>"; http_header; fast_pattern;
>       reference:url,http://blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html;
>       classtype:web-application-attack; sid:10000048; rev:1;)
>
>       As always, any advice that would make my sigs suck less would help :D
>       Thanks...and happy Monday (queue groans).
>
>       James
>
>       ------------------------------------------------------------------------------
>       Precog is a next-generation analytics platform capable of advanced
>       analytics on semi-structured data. The platform includes APIs for building
>       apps and a phenomenal toolset for data science. Developers can use
>       our toolset for easy data analysis & visualization. Get a free account!
>       http://www2.precog.com/precogplatform/slashdotnewsletter
>       _______________________________________________
>       Snort-sigs mailing list
>       Snort-sigs at lists.sourceforge.net
>       https://lists.sourceforge.net/lists/listinfo/snort-sigs
>       http://www.snort.org
> 
>
>       Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> 
> 
> --
> 
> Nick Randolph
> Research Engineer
> Sourcefire, Inc.
> nrandolph at ...435...
> Sourcefire.com
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> 
>


More information about the Snort-sigs mailing list