<div dir="ltr">Uhmm ... Thanks Francis. Is it possible to enable some debug mode (at suricata or rule level) to see what it happens? It is really strange that snort detects this XSS and suricata not ...<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 4, 2018 at 9:55 PM, Francis Trudeau <span dir="ltr"><<a href="mailto:ftrudeau@emergingthreats.net" target="_blank">ftrudeau@emergingthreats.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">When I test here, with a straight copy of the url above (and changed<br>
hostname), I get this alert:<br>
<br>
06/04/2018-13:52:42.304756 [**] [1:2009714:7] ET WEB_SERVER Script<br>
tag in URI Possible Cross Site Scripting Attempt [**] [Classification:<br>
Web Application Attack] [Priority: 1] {TCP} <a href="http://10.3.2.11:60258" rel="noreferrer" target="_blank">10.3.2.11:60258</a> -><br>
re.da.ct.ed:80<br>
<br>
<br>
<br>
<br>
<br>
On Fri, Jun 1, 2018 at 9:37 PM, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br>
><br>
>> On 1 Jun 2018, at 20:04, C. L. Martinez <<a href="mailto:carlopmart@gmail.com">carlopmart@gmail.com</a>> wrote:<br>
>><br>
>>> On Fri, Jun 01, 2018 at 05:08:58PM +0200, Peter Manev wrote:<br>
>>>> On Fri, Jun 1, 2018 at 9:22 AM, C. L. Martinez <<a href="mailto:carlopmart@gmail.com">carlopmart@gmail.com</a>> wrote:<br>
>>>> Hi all,<br>
>>>><br>
>>>> I am doing some XSS tests with Suricata 4.0.4 and 4.1beta1 (both installed<br>
>>>> under CentOS 7.5 fully patched) and they are not detected by Suricata.<br>
>>>><br>
>>>> For example launching a request like:<br>
>>>><br>
>>>> <a href="http://my.test.server.org/tstwww/dp//?mktportal=%3C/script%3E%3Cscript%3Ealert(%27myXXSSpoc%27)%3C/script%3E%3Cscript%3E" rel="noreferrer" target="_blank">http://my.test.server.org/<wbr>tstwww/dp//?mktportal=%3C/<wbr>script%3E%3Cscript%3Ealert(%<wbr>27myXXSSpoc%27)%3C/script%3E%<wbr>3Cscript%3E</a><br>
>>>><br>
>>>> ... no alert is triggerred and I have loaded and activated all ET-open<br>
>>>> rules under Suricata.<br>
>>>><br>
>>>> eve.json only log the server response and not the client request.<br>
>>>><br>
>>><br>
>>> Maybe that could be a clue for not having an alert? (not seeing all<br>
>>> the traffic ?)<br>
>>><br>
>>> Also - do you have all configs set up properly as well in terms of<br>
>>> home/ext nets variables and rule set up (that detects) for that<br>
>>> particular exploit/test.<br>
>>><br>
>>><br>
>> I have checked with snort, and an alert is triggered with it.<br>
>><br>
>> Snort rule:<br>
>> alert tcp any any -> any any (msg:"Possible Cross Site Scripting Attempt"; flow:to_server,established; content:"</script>"; fast_pattern:only; nocase; http_uri; sid:9000001; rev:1;)<br>
>><br>
>> Suricata rule:<br>
>> alert tcp any any -> any any (msg:"Possible Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"</script>"; nocase; sid:900001; rev:1;)<br>
>><br>
>> I am using a pcap capture and request is here ...<br>
><br>
> Is it possible to share the pcap please? (Privately if you need to as well is no problem)<br>
><br>
><br>
><br>
>><br>
>> --<br>
>> Greetings,<br>
>> C. L. Martinez<br>
>> ______________________________<wbr>_________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
>><br>
>> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
>> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
</blockquote></div><br></div>