Rule Category

INDICATOR-OBFUSCATION -- Snort detected a system behavior that suggests the system has been affected by malware. That behavior is known as an Indicator of Compromise (IOC). The symptoms could be a wide range of behaviors, from a suspicious file name to an unusual use of a utility. Symptoms do not guarantee an infection; your network configuration may not be affected by malware, but showing indicators as a result of a normal function. This alert specifically refers to a method of disguising code, known as obfuscation. Obfuscation methods are used to perform innocent convenience tasks (for instance, Javascript used to condense Jquery scripts, or a compiler using obfuscation to protect the full code for NDA reasons), or it could be used to hide an attack.

Alert Message

INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting

Rule Explanation

This event is generated when a script tag is detected in an HTTP POST request. Impact: Web Application Attack Details: Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives


Cisco Talos Intelligence Group

MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:


Additional Links

Rule Vulnerability

CVE Additional Information

Cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the server parameter.
SeverityHIGH Base Score9.3
Impact Score10.0 Exploit Score8.6
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access Vector
AuthenticationNONE Ease of Access
Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2013 SP1 and SharePoint Server 2013 SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability."
SeverityMEDIUM Base Score4.3
Impact Score2.9 Exploit Score8.6
Confidentiality ImpactNONE Integrity ImpactPARTIAL
Availability ImpactNONE Access Vector
AuthenticationNONE Ease of Access