[Snort-sigs] Browser Extension Hijack sigs

James Lay jlay at ...3266...
Mon May 13 13:02:35 EDT 2013


http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx

I created the firefox plugin sigs a while ago (fixed):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Firefox Plugin install"; flow:to_server,established; content:"mozilla"; 
http_header; content:".xpi"; http_uri; 
reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; 
classtype:bad-unknown; sid:10000029; rev:2)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Possible Firefox Plugin install from non-trusted source"; 
flow:to_server,established; content:!"mozilla"; http_header; 
content:".xpi"; http_uri; 
reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; 
classtype:bad-unknown; sid:10000030; rev:2)

These should match with Chrome:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Chrome Plugin install"; flow:to_server,established; 
content:"googleusercontent"; http_header; content:"|2f|crx|2f|blobs"; 
http_uri; 
reference:url,http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; 
classtype:bad-unknown; sid:10000054; rev:1)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Possible Chrome Plugin install from non-trusted source"; 
flow:to_server,established; content:!"googleusercontent"; http_header; 
content:"|2f|crx|2f|blobs"; http_uri; 
reference:url,http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; 
classtype:bad-unknown; sid:10000055; rev:1)

Enjoy

James




More information about the Snort-sigs mailing list