Rule for alerting XSS custom header attack.

[Vladyslav Dzhoklo via Snort-sigs <snort-sigs () lists snort org>]

Good day,

I am writing regarding rule for alerting XSS custom header attack. Are
there any possibility to detect additional rule in http request/response? I
have written a rule for detecting a script in some of the HTTP-fields(for
example Referer, this how it looks:
alert tcp any any -> any any \
( \
  msg: "XSS Back Button Detected"; \
  content: "Referer"; \
  http_header; \
  pcre: "/(;)+[^\n]+(;)/i"; \
  sid:111; \
)
The rule above works perfectly.
  However, I am facing issues to write a rule for detecting a custom http
header field(which is not defined). I was thinking about using negation;
however, I did not find any additional information of how to use it.
Basically, what I mean, the rule must detect any additional header, if it
is not a defined header (in other words created by attacker). Below you can
see the rule; however, it does not detect a change in the HTTP header.

alert tcp any any -> any any \
( \
  msg: "XSS Back Button Detected"; \
  content:"GET"; \
  content:!"Host"; \
  content:!"User-Agent"; \
  content:!"Accept"; \
  content:!"Accept-Language"; \
  content:!"Accept-Encoding"; \
  content:!"Referer"; \
  content:!"Cookie"; \
  content:!"Connection"; \
  content:!"Upgrade-Insecure-Requests"; \
  http_header; \
  pcre: "/((\%3C)|<)+[^\n]+((\%3E)|>)/i"; \
  sid:121; \
)

Can you please help me to solve this issue?

Best Regards.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!