[Snort-users] Snort Alert[1:16482:8]

waldo kitty wkitty42 at ...14940...
Tue Mar 26 21:44:19 EDT 2013

On 3/26/2013 11:44, Michael Steele wrote:
> Is it possible users could be spoofing their x browser to appear to be IE?

spoofing the UA would not trigger the rule in question...

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft 
Internet Explorer userdata behavior memory corruption attempt"; 
flow:to_client,established; content:"addBehavior|28|"; nocase; 
content:"|23|default|23|userData"; distance:0; nocase; 
content:"setAttribute|28|"; distance:0; nocase; 
metadata:policy balanced-ips drop, policy security-ips drop, service http; 
reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; 
classtype:attempted-user; sid:16482; rev:6;)

granted, the above is version 6 of the rule but i doubt it has changed that much 
to be UA centric... the CVE and KB probably target the specific browsers in 
their writings...

More information about the Snort-users mailing list