I update with Suricata 6.0.1 and I run Suricata using a rule file containing the following 3 rules.
rule 1: alert http any any -> any any (msg:“detect XSS)”; flow:established,to_server; http.request_body; url_decode; content:"("; nocase; fast_pattern; sid:1001;)
rule 2: alert http any any -> any any (msg:“detect XSS)”; flow:established,to_server; http.request_body; pcre:"/\b(fromcharcode|alert|eval)\s*(/Pi"; sid:1002;)
rule 3: alert http any any -> any any (msg:“detect XSS)”; flow:established,to_server; http.request_body; url_decode; content:"("; nocase; fast_pattern; http.request_body; pcre:"/\b(fromcharcode|alert|eval)\s*(/Pi";sid:1003;)
And I get 1 alert in total.
But when I load the signatures separately in three tests I get 2 alerts for rule 1 and rule 2.
The test pcap file is attached here.test.pcap (1015 Bytes)