Snort mailing list archives
Re: Javascript in UA
From: rmkml <rmkml () yahoo fr>
Date: Mon, 22 Apr 2013 22:28:57 +0200 (CEST)
Hi, Well, I prefer searching < or %3c on User-Agent... (ok it's more cpu intensive) Created on my own rule set after research on CVE-2006-2558 (around jul 2011). Best Regards Rmkml http://twitter.com/rmkml On Mon, 22 Apr 2013, Joel Esler wrote:
James,
Nick took this and cleaned up and I put it in the system with the SID 26483.
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt";
flow:to_server,established; content:"User-Agent|3A| <SCRIPT>";
fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html;
classtype:web-application-attack; sid:26483; rev:1;)
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
On Apr 22, 2013, at 3:43 PM, Nick Randolph <drandolph () sourcefire com> wrote:
I would use fast_pattern:only;
On Mon, Apr 22, 2013 at 3:21 PM, James Lay <jlay () slave-tothe-box net> wrote:
Saw this a while ago..thought I'd sig it up:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SERVER-WEBAPP JavaScript in User-Agent, possible XSS";
content:"User-Agent|3A| <script>"; http_header; fast_pattern;
reference:url,http://blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html;
classtype:web-application-attack; sid:10000048; rev:1;)
As always, any advice that would make my sigs suck less would help :D
Thanks...and happy Monday (queue groans).
James
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
--
Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph () sourcefire com
Sourcefire.com
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Javascript in UA James Lay (Apr 22)
- Re: Javascript in UA Nick Randolph (Apr 22)
- Re: Javascript in UA James Lay (Apr 22)
- Re: Javascript in UA Joel Esler (Apr 22)
- Re: Javascript in UA James Lay (Apr 22)
- Re: Javascript in UA rmkml (Apr 22)
- Re: Javascript in UA Nick Randolph (Apr 22)