[Snort-sigs] [Emerging-Sigs] Browser Extension Hijack sigs

James Lay jlay at ...3266...
Mon May 13 13:53:57 EDT 2013


On 2013-05-13 11:38, Will Metcalf wrote:
> Nice! Have you seen be anything other than googleusercontent.com [9]
> or mozilla.org [10]? Also it seems that both of these ship add-ons
> over ssl at least in my limited testing, have you seen something to
> the contrary?
>
> Regards,
>
> Will

Yea...legit extensions go via https so we can poopcan:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Firefox Plugin install"; flow:to_server,established; content:"mozilla"; 
http_header; content:".xpi"; http_uri; 
reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; 
classtype:bad-unknown; sid:10000029; rev:1)

and

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Chrome Plugin install"; flow:to_server,established; 
content:"googleusercontent"; http_header; content:"|2f|crx|2f|blobs"; 
http_uri; 
reference:url,http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; 
classtype:bad-unknown; sid:10000054; rev:1)

The other two *might* be useful...neither article really shows http or 
https :(  Thanks Will for catching the details I miss :)

James






More information about the Snort-sigs mailing list