[Oisf-users] Detecting XSS

C. L. Martinez carlopmart at gmail.com
Fri Jun 1 17:04:09 UTC 2018


On Fri, Jun 01, 2018 at 05:08:58PM +0200, Peter Manev wrote:
> On Fri, Jun 1, 2018 at 9:22 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> > Hi all,
> >
> >  I am doing some XSS tests with Suricata 4.0.4 and 4.1beta1 (both installed
> > under CentOS 7.5 fully patched) and they are not detected by Suricata.
> >
> >  For example launching a request like:
> >
> > http://my.test.server.org/tstwww/dp//?mktportal=%3C/script%3E%3Cscript%3Ealert(%27myXXSSpoc%27)%3C/script%3E%3Cscript%3E
> >
> >  ... no alert is triggerred and I have loaded and activated all ET-open
> > rules under Suricata.
> >
> > eve.json only log the server response and not the client request.
> >
> 
> Maybe that could be a clue for not having an alert? (not seeing all
> the traffic ?)
> 
> Also - do you have all configs set up properly as well in terms of
> home/ext nets variables and rule set up (that detects) for that
> particular exploit/test.
> 
> 
I have checked with snort, and an alert is triggered with it.

Snort rule:
alert tcp any any -> any any (msg:"Possible Cross Site Scripting Attempt"; flow:to_server,established; content:"</script>"; fast_pattern:only; nocase; http_uri; sid:9000001; rev:1;)

Suricata rule:
alert tcp any any -> any any (msg:"Possible Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"</script>"; nocase; sid:900001; rev:1;)

 I am using a pcap capture and request is here ... 

-- 
Greetings,
C. L. Martinez


More information about the Oisf-users mailing list