Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Sleepy UA

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 17 May 2016 08:46:37 -0600
This caught me eye this morning:

https://blog.cloudflare.com/the-sleepy-user-agent/

First shot at matching not just sleepy, but select * from sql statements 
in the UA:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:""POLICY-OTHER 
SQLi in User Agent"; flow:established,to_server; content:"User-Agent|3a 
20|"; http_header; fast_pattern:only; content:"select"; content:"from"; 
within:20; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; 
classtype:trojan-activity; sid:10000130; rev:1;)

Might need cleanup, or might be a better method then what I made :D

James

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: