[Snort-sigs] SNORT sig to cover the latest Chrome\FF Webex Vulnerability

Patrick Mullen pmullen at ...435...
Wed Jan 25 09:43:19 EST 2017


Josh,

Thanks for the submission!  We released side 41409 yesterday for this,
which is essentially a stripped-down version of what you wrote.  We've
moved our rule over to the community ruleset to make it available to
everyone immediately.

Here is what we released:


content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html";
fast_pattern:only; http_uri;

And that's it.  Our version didn't have the other checks because we felt
that URI was so specific that it wouldn't have problems with False
Positives and by specifying the http_uri buffer, snort has assured us that
the packet is an HTTP packet and will have things like the http_method and
protocol version.  We also felt that the check for the User-Agent, while
narrowing the request down to the official client, could open our rule up
to False Negatives when someone used another (or custom) client to make the
request.

Thank you again for the rule submission!  If you have any more in the
future, please be sure to let us know!


Thanks,

~Patrick
-- 
Patrick Mullen
Response Research Manager
Cisco TALOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170125/b19028c6/attachment.html>


More information about the Snort-sigs mailing list