[Snort-sigs] SNORT sig to cover the latest Chrome\FF Webex Vulnerability

joshua burgess avonyxx at ...12...
Tue Jan 24 14:22:03 EST 2017


So this is what I came up with to cover the latest vulnerability disclosed by Tavis regarding the Webex plugin in Chrome\FF.


Let me know what you think:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"STE-5803 - Cisco: Magic WebEx URL"; flow:established,to_server; content:"GET"; http_method; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; within:70; content:"HTTP/1.1"; within:15; content:"User-Agent|3a| WebExRA"; http_header; content:!".webex.com"; http_header; content:!"webex.com"; http_header; reference:url,https://bugs.chromium.org/p/project-zero/issues/detail?id=1096; classtype:trojan-activity; sid:6000051; rev:1;)



Backstory:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1096

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170124/0d7470e3/attachment.html>


More information about the Snort-sigs mailing list