[Oisf-users] Detecting XSS

Francis Trudeau ftrudeau at emergingthreats.net
Mon Jun 4 19:55:09 UTC 2018 

When I test here, with a straight copy of the url above (and changed
hostname), I get this alert:

06/04/2018-13:52:42.304756  [**] [1:2009714:7] ET WEB_SERVER Script
tag in URI Possible Cross Site Scripting Attempt [**] [Classification:
Web Application Attack] [Priority: 1] {TCP} 10.3.2.11:60258 ->
re.da.ct.ed:80





On Fri, Jun 1, 2018 at 9:37 PM, Peter Manev <petermanev at gmail.com> wrote:
>
>> On 1 Jun 2018, at 20:04, C. L. Martinez <carlopmart at gmail.com> wrote:
>>
>>> On Fri, Jun 01, 2018 at 05:08:58PM +0200, Peter Manev wrote:
>>>> On Fri, Jun 1, 2018 at 9:22 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
>>>> Hi all,
>>>>
>>>> I am doing some XSS tests with Suricata 4.0.4 and 4.1beta1 (both installed
>>>> under CentOS 7.5 fully patched) and they are not detected by Suricata.
>>>>
>>>> For example launching a request like:
>>>>
>>>> http://my.test.server.org/tstwww/dp//?mktportal=%3C/script%3E%3Cscript%3Ealert(%27myXXSSpoc%27)%3C/script%3E%3Cscript%3E
>>>>
>>>> ... no alert is triggerred and I have loaded and activated all ET-open
>>>> rules under Suricata.
>>>>
>>>> eve.json only log the server response and not the client request.
>>>>
>>>
>>> Maybe that could be a clue for not having an alert? (not seeing all
>>> the traffic ?)
>>>
>>> Also - do you have all configs set up properly as well in terms of
>>> home/ext nets variables and rule set up (that detects) for that
>>> particular exploit/test.
>>>
>>>
>> I have checked with snort, and an alert is triggered with it.
>>
>> Snort rule:
>> alert tcp any any -> any any (msg:"Possible Cross Site Scripting Attempt"; flow:to_server,established; content:"</script>"; fast_pattern:only; nocase; http_uri; sid:9000001; rev:1;)
>>
>> Suricata rule:
>> alert tcp any any -> any any (msg:"Possible Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"</script>"; nocase; sid:900001; rev:1;)
>>
>> I am using a pcap capture and request is here ...
>
> Is it possible to share the pcap please? (Privately if you need to as well is no problem)
>
>
>
>>
>> --
>> Greetings,
>> C. L. Martinez
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list