[Snort-users] Vulnerable to Cross Site Scripting (XSS) or not?

Jesper Skou Jensen jesper.skou.jensen at ...1273...
Tue Aug 5 04:36:02 EDT 2008

Hi there,

Our snort quite often trigger the following rule

cross site scripting attempt"; flow:to_server,established; 
content:"<SCRIPT"; nocase; classtype:web-application-attack; sid:1497; 

and the syslog messages looks like this:

Aug  5 06:25:53 snort: [1:1497:7] WEB-MISC cross site scripting attempt 
[Classification: Web Application Attack] [Priority: 1]: {TCP} -> = the outside attacker = our webserver

I'm trying to understand why that is, and what exactly it is that is 
triggering it, and I hope you guys can help me doing that.

1. As far as I understand it, is trying to send "<SCRIPT" in eg. 
a webform on Is that correct?

2. It's triggered because there should be no "<SCRIPT" coming from the 
outside to our server, correct?

3. Is there an easy way to work out if the webserver/application is 
vulnerable or not?

Jesper S. Jensen

More information about the Snort-users mailing list