[Oisf-users] Detecting XSS

Peter Manev petermanev at gmail.com
Sat Jun 2 03:37:07 UTC 2018 

> On 1 Jun 2018, at 20:04, C. L. Martinez <carlopmart at gmail.com> wrote:
> 
>> On Fri, Jun 01, 2018 at 05:08:58PM +0200, Peter Manev wrote:
>>> On Fri, Jun 1, 2018 at 9:22 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
>>> Hi all,
>>> 
>>> I am doing some XSS tests with Suricata 4.0.4 and 4.1beta1 (both installed
>>> under CentOS 7.5 fully patched) and they are not detected by Suricata.
>>> 
>>> For example launching a request like:
>>> 
>>> http://my.test.server.org/tstwww/dp//?mktportal=%3C/script%3E%3Cscript%3Ealert(%27myXXSSpoc%27)%3C/script%3E%3Cscript%3E
>>> 
>>> ... no alert is triggerred and I have loaded and activated all ET-open
>>> rules under Suricata.
>>> 
>>> eve.json only log the server response and not the client request.
>>> 
>> 
>> Maybe that could be a clue for not having an alert? (not seeing all
>> the traffic ?)
>> 
>> Also - do you have all configs set up properly as well in terms of
>> home/ext nets variables and rule set up (that detects) for that
>> particular exploit/test.
>> 
>> 
> I have checked with snort, and an alert is triggered with it.
> 
> Snort rule:
> alert tcp any any -> any any (msg:"Possible Cross Site Scripting Attempt"; flow:to_server,established; content:"</script>"; fast_pattern:only; nocase; http_uri; sid:9000001; rev:1;)
> 
> Suricata rule:
> alert tcp any any -> any any (msg:"Possible Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"</script>"; nocase; sid:900001; rev:1;)
> 
> I am using a pcap capture and request is here ... 

Is it possible to share the pcap please? (Privately if you need to as well is no problem)



> 
> -- 
> Greetings,
> C. L. Martinez
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list