Home page logo
/

snort logo Snort mailing list archives

Re: Javascript in UA
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 22 Apr 2013 14:27:39 -0600

On 2013-04-22 14:18, Joel Esler wrote:
James,

Nick took this and cleaned up and I put it in the system with the SID
26483.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS
attempt"; flow:to_server,established; content:"User-Agent|3A|
<SCRIPT>"; fast_pattern:only; http_header; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community,
service http;

reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html
[11]; classtype:web-application-attack; sid:26483; rev:1;)

--
JOEL ESLER
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



Thanks Joel!

James

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault