Testmyids from browser

[Carlos-mb]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

other (please provide detail below)
Proxmox VM at home lab

Hardware Specs

Exceeds minimum requirements

CPU

5
Proxmox reports CPU 5% usage for this VM and SO works fine

RAM

24
Proxmox reported 70% used

Storage for /

64Gb (42% used)

Storage for /nsm

124Gb (45% used)

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi

I know that try the IDS using http://testmyids.com/ has been discussed many times but I'd to share the current situation and I'd like to get your help in order to improve my comprehension of some concepts.

The point is that if I do the test using CURL command, it works (as you surely know).
And I'd like to be able to make it work using browser.

I have used the original rute to create a new one that should be able to create an alert when browsing, but it doesn't work.

This is the rule I have created:

alert ip any any -> any any (msg:"Navegador GPL ATTACK_RESPONSE id check returned root"; flow:established,to_client; http.response_body; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:1658581; rev:1; metadata:created_at 2024_06_16, updated_at 2024_06_16;)

It creates the alert when using curl, but still not work when using a browser from the same computer. It happens with http://testmyids.com/ and https://testmynids.org/uid/index.html

I'll thank your comments.

Regards,
Carlos.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

The default version of SID 2100498 GPL ATTACK_RESPONSE id check returned root should fire when a web browser connects to http://testmynids.org/uid/index.html.

Here are some things you can try:

• double-check that you are accessing http://testmynids.org/uid/index.html (it must be http and NOT https)
• verify that the browser displays the text uid=0(root) gid=0(root) groups=0(root)
• shift-reload in your browser to make sure it is not showing a cached version of the page
• try incognito mode in your browser
• make sure the browser isn't using a proxy server
• try a different browser
• try a different computer
• make sure that the computer's traffic is actually being monitored by your Security Onion sensor

[Carlos-mb]

I had already tried all you suggested, except to use another computer.

It works when connecting from the tablet but not when using different browsers from PC. It makes sense in Chome because it's forcing https, but Edge isn't. And I'm using Developer Tools to force to empty the cache and it's not detected anyway,

But, it works if I do it from the tablet and they are connected to the same Wifi AP and they are in the same subnet, in fact, the have correlative IP address....

It's a mystery for me.

Thank your your help.