[Snort-sigs] Offer a new sig for detecting possible wpad Name Collision

Joshua Williams joshuwi2 at ...435...
Tue May 31 09:06:47 EDT 2016


Hi,

Thanks for your submission. I'll review and test this rule and get back to
you when it's finished.

--
Josh Williams
Detection Response Team
TALOS Security Group

On Mon, May 30, 2016 at 2:57 PM, rmkml <rmkml at ...4129...> wrote:

> Hi,
>
> The http://etplc.org open source project offer a new sig for detecting
> possible wpad Name Collision:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Host
> wpad. possible Name Collision attempt";
> flow:to_server,established; content:"Host|3a| wpad."; nocase; http_header;
> reference:url,
> www.verisign.com/assets/labs/MitM-Attack-by-Name-Collision-Cause-Analysis-and-WPAD-Vulnerability-Assessment-in-the-New-gTLD-Era.pdf
> ;
> reference:url,www.us-cert.gov/ncas/alerts/TA16-144A;
> classtype:misc-attack; sid:1; rev:1;)
>
> See reference for more information.
>
> Don't forget check variables.
>
> Please send any comments.
>
> Regards
> @Rmkml
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160531/ae99e8c7/attachment.html>


More information about the Snort-sigs mailing list