[Snort-sigs] [Emerging-Sigs] Browser Extension Hijack sigs

James Lay jlay at ...3266...
Mon May 13 13:53:57 EDT 2013

On 2013-05-13 11:38, Will Metcalf wrote:
> Nice! Have you seen be anything other than googleusercontent.com [9]
> or mozilla.org [10]? Also it seems that both of these ship add-ons
> over ssl at least in my limited testing, have you seen something to
> the contrary?
> Regards,
> Will

Yea...legit extensions go via https so we can poopcan:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Firefox Plugin install"; flow:to_server,established; content:"mozilla"; 
http_header; content:".xpi"; http_uri; 
classtype:bad-unknown; sid:10000029; rev:1)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Chrome Plugin install"; flow:to_server,established; 
content:"googleusercontent"; http_header; content:"|2f|crx|2f|blobs"; 
classtype:bad-unknown; sid:10000054; rev:1)

The other two *might* be useful...neither article really shows http or 
https :(  Thanks Will for catching the details I miss :)


More information about the Snort-sigs mailing list