[Oisf-users] Detecting XSS
C. L. Martinez
carlopmart at gmail.com
Tue Jun 5 05:57:02 UTC 2018
Uhmm ... Thanks Francis. Is it possible to enable some debug mode (at
suricata or rule level) to see what it happens? It is really strange that
snort detects this XSS and suricata not ...
On Mon, Jun 4, 2018 at 9:55 PM, Francis Trudeau <
ftrudeau at emergingthreats.net> wrote:
> When I test here, with a straight copy of the url above (and changed
> hostname), I get this alert:
>
> 06/04/2018-13:52:42.304756 [**] [1:2009714:7] ET WEB_SERVER Script
> tag in URI Possible Cross Site Scripting Attempt [**] [Classification:
> Web Application Attack] [Priority: 1] {TCP} 10.3.2.11:60258 ->
> re.da.ct.ed:80
>
>
>
>
>
> On Fri, Jun 1, 2018 at 9:37 PM, Peter Manev <petermanev at gmail.com> wrote:
> >
> >> On 1 Jun 2018, at 20:04, C. L. Martinez <carlopmart at gmail.com> wrote:
> >>
> >>> On Fri, Jun 01, 2018 at 05:08:58PM +0200, Peter Manev wrote:
> >>>> On Fri, Jun 1, 2018 at 9:22 AM, C. L. Martinez <carlopmart at gmail.com>
> wrote:
> >>>> Hi all,
> >>>>
> >>>> I am doing some XSS tests with Suricata 4.0.4 and 4.1beta1 (both
> installed
> >>>> under CentOS 7.5 fully patched) and they are not detected by Suricata.
> >>>>
> >>>> For example launching a request like:
> >>>>
> >>>> http://my.test.server.org/tstwww/dp//?mktportal=%3C/
> script%3E%3Cscript%3Ealert(%27myXXSSpoc%27)%3C/script%3E%3Cscript%3E
> >>>>
> >>>> ... no alert is triggerred and I have loaded and activated all ET-open
> >>>> rules under Suricata.
> >>>>
> >>>> eve.json only log the server response and not the client request.
> >>>>
> >>>
> >>> Maybe that could be a clue for not having an alert? (not seeing all
> >>> the traffic ?)
> >>>
> >>> Also - do you have all configs set up properly as well in terms of
> >>> home/ext nets variables and rule set up (that detects) for that
> >>> particular exploit/test.
> >>>
> >>>
> >> I have checked with snort, and an alert is triggered with it.
> >>
> >> Snort rule:
> >> alert tcp any any -> any any (msg:"Possible Cross Site Scripting
> Attempt"; flow:to_server,established; content:"</script>";
> fast_pattern:only; nocase; http_uri; sid:9000001; rev:1;)
> >>
> >> Suricata rule:
> >> alert tcp any any -> any any (msg:"Possible Cross Site Scripting
> Attempt"; flow:to_server,established; uricontent:"</script>"; nocase;
> sid:900001; rev:1;)
> >>
> >> I am using a pcap capture and request is here ...
> >
> > Is it possible to share the pcap please? (Privately if you need to as
> well is no problem)
> >
> >
> >
> >>
> >> --
> >> Greetings,
> >> C. L. Martinez
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> >> List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >>
> >> Conference: https://suricon.net
> >> Trainings: https://suricata-ids.org/training/
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180605/6f7a643e/attachment.html>
More information about the Oisf-users
mailing list