Snort mailing list archives
Sleepy UA
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 17 May 2016 08:46:37 -0600
This caught me eye this morning: https://blog.cloudflare.com/the-sleepy-user-agent/ First shot at matching not just sleepy, but select * from sql statements in the UA: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:""POLICY-OTHER SQLi in User Agent"; flow:established,to_server; content:"User-Agent|3a 20|"; http_header; fast_pattern:only; content:"select"; content:"from"; within:20; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:10000130; rev:1;) Might need cleanup, or might be a better method then what I made :D James ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sleepy UA James Lay (May 17)