[Snort-sigs] [Emerging-Sigs] Browser Extension Hijack sigs

Will Metcalf wmetcalf at ...3525...
Mon May 13 13:38:45 EDT 2013


Nice! Have you seen be anything other than googleusercontent.com or
mozilla.org? Also it seems that both of these ship add-ons over ssl at
least in my limited testing, have you seen something to the contrary?

Regards,

Will


On Mon, May 13, 2013 at 12:02 PM, James Lay <jlay at ...3266...>wrote:

> http://blogs.technet.com/b/**mmpc/archive/2013/05/10/**
> browser-extension-hijacks-**facebook-profiles.aspx<http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx>
>
> I created the firefox plugin sigs a while ago (fixed):
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Firefox
> Plugin install"; flow:to_server,established; content:"mozilla";
> http_header; content:".xpi"; http_uri; reference:url,http://research.**
> zscaler.com/2012/09/how-to-**install-silently-malicious.**html<http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html>;
> classtype:bad-unknown; sid:10000029; rev:2)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Possible
> Firefox Plugin install from non-trusted source";
> flow:to_server,established; content:!"mozilla"; http_header;
> content:".xpi"; http_uri; reference:url,http://research.**
> zscaler.com/2012/09/how-to-**install-silently-malicious.**html<http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html>;
> classtype:bad-unknown; sid:10000030; rev:2)
>
> These should match with Chrome:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Chrome
> Plugin install"; flow:to_server,established; content:"googleusercontent";
> http_header; content:"|2f|crx|2f|blobs"; http_uri; reference:url,
> http://blogs.**technet.com/b/mmpc/archive/**2013/05/10/browser-extension-*
> *hijacks-facebook-profiles.aspx<http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx>
> **; classtype:bad-unknown; sid:10000054; rev:1)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Possible
> Chrome Plugin install from non-trusted source"; flow:to_server,established;
> content:!"googleusercontent"; http_header; content:"|2f|crx|2f|blobs";
> http_uri; reference:url,http://blogs.**technet.com/b/mmpc/archive/**
> 2013/05/10/browser-extension-**hijacks-facebook-profiles.aspx<http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx>
> **; classtype:bad-unknown; sid:10000055; rev:1)
>
> Enjoy
>
> James
> ______________________________**_________________
> Emerging-sigs mailing list
> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130513/48ff57e1/attachment.html>


More information about the Snort-sigs mailing list