Home page logo
/

snort logo Snort mailing list archives

Re: Javascript in UA
From: Nick Randolph <drandolph () sourcefire com>
Date: Mon, 22 Apr 2013 15:43:40 -0400

I would use fast_pattern:only;


On Mon, Apr 22, 2013 at 3:21 PM, James Lay <jlay () slave-tothe-box net> wrote:

Saw this a while ago..thought I'd sig it up:

alert tcp $EXTERNAL_NET any  -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SERVER-WEBAPP JavaScript in User-Agent, possible XSS";
content:"User-Agent|3A| <script>"; http_header; fast_pattern;
reference:url,
http://blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html
;
classtype:web-application-attack; sid:10000048; rev:1;)

As always, any advice that would make my sigs suck less would help :D
Thanks...and happy Monday (queue groans).

James


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph () sourcefire com
Sourcefire.com <http://www.sourcefire.com/>
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]