Snort mailing list archives
Rule for alerting XSS custom header attack.
From: Vladyslav Dzhoklo via Snort-sigs <snort-sigs () lists snort org>
Date: Sun, 8 Sep 2019 22:21:54 +0400
Good day, I am writing regarding rule for alerting XSS custom header attack. Are there any possibility to detect additional rule in http request/response? I have written a rule for detecting a script in some of the HTTP-fields(for example Referer, this how it looks: alert tcp any any -> any any \ ( \ msg: "XSS Back Button Detected"; \ content: "Referer"; \ http_header; \ pcre: "/(;)+[^\n]+(;)/i"; \ sid:111; \ ) The rule above works perfectly. However, I am facing issues to write a rule for detecting a custom http header field(which is not defined). I was thinking about using negation; however, I did not find any additional information of how to use it. Basically, what I mean, the rule must detect any additional header, if it is not a defined header (in other words created by attacker). Below you can see the rule; however, it does not detect a change in the HTTP header. alert tcp any any -> any any \ ( \ msg: "XSS Back Button Detected"; \ content:"GET"; \ content:!"Host"; \ content:!"User-Agent"; \ content:!"Accept"; \ content:!"Accept-Language"; \ content:!"Accept-Encoding"; \ content:!"Referer"; \ content:!"Cookie"; \ content:!"Connection"; \ content:!"Upgrade-Insecure-Requests"; \ http_header; \ pcre: "/((\%3C)|<)+[^\n]+((\%3E)|>)/i"; \ sid:121; \ ) Can you please help me to solve this issue? Best Regards.
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Rule for alerting XSS custom header attack. Vladyslav Dzhoklo via Snort-sigs (Sep 09)
- <Possible follow-ups>
- Rule for alerting XSS custom header attack. Vladyslav Dzhoklo via Snort-sigs (Sep 09)