Snort mailing list archives
Re: Javascript in UA
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 22 Apr 2013 14:27:39 -0600
On 2013-04-22 14:18, Joel Esler wrote:
James, Nick took this and cleaned up and I put it in the system with the SID 26483. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; content:"User-Agent|3A| <SCRIPT>"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html [11]; classtype:web-application-attack; sid:26483; rev:1;) -- JOEL ESLER Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
Thanks Joel! James ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Javascript in UA James Lay (Apr 22)
- Re: Javascript in UA Nick Randolph (Apr 22)
- Re: Javascript in UA James Lay (Apr 22)
- Re: Javascript in UA Joel Esler (Apr 22)
- Re: Javascript in UA James Lay (Apr 22)
- Re: Javascript in UA rmkml (Apr 22)
- Re: Javascript in UA Nick Randolph (Apr 22)