[Snort-sigs] Ads data leaks sigs

Phillip Lee phillile at sourcefire.com
Thu May 17 12:07:43 EDT 2018


Hi Yaser,
After reviewing this rule, we have decided not to add it to the community ruleset. While the information that gets leaked can be considered sensitive, they in themselves are not the result of malicious activity. These rules might be more appropriate in a POLICY-OTHER category, however, thats something to be left to individuals. We appreciate your contribution. 

Regards,
Phil Lee
Cisco Talos


> On Apr 27, 2018, at 11:04 AM, Phillip Lee <phillile at sourcefire.com> wrote:
> 
> Yaser,
> 
> Thanks for your submission. We will review the rules and get back to you when they're finished. 
> 
> Regards,
> Phil Lee
> Cisco Talos
> 
>> On Apr 27, 2018, at 10:38 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org <mailto:snort-sigs at lists.snort.org>> wrote:
>> 
>> Hi,
>> 
>> The first set of signatures are derived from the reference. The second set of rule(s) triggers against a fake Windows prizes ads. The goal of the detection is to prevent the leakage of user data that these ads SDKs send. Such data can be too revealing.
>> 
>> # Title: Leaking ads
>> # Reference: https://securelist.com/leaking-ads/85239/ <https://securelist.com/leaking-ads/85239/>
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"POST"; http_method; content:"Package-Name: "; fast_pattern:only; http_header; content:"/qga/"; http_uri; content:"/data/"; http_uri; content:"Content-Type|3A 20|application/json"; http_header; content:"appSecrect|3A 20|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000000; rev:1;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"GET"; http_method; content:"/m/ad?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&nv="; http_uri; content:"&dn="; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000001; rev:1;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"GET"; http_method; content:"/getAd?"; fast_pattern:only; http_uri; content:"apid="; http_uri; content:"&ua="; http_uri; content:"&hswd="; http_uri; content:"&uip="; http_uri; content:"&conn="; http_uri; content:"&pkid="; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000002; rev:1;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Lenovo mobile app potenial user data leak"; flow:to_server,established; content:"/reaper/server/didsync"; fast_pattern:only; http_uri; content:"sv="; http_client_body; content:"did="; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000003; rev:1;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Lenovo mobile app potenial user data leak"; flow:to_server,established; content:"/ams/api/register?"; fast_pattern:only; http_uri; content:"l="; http_uri; content:"|7B 22|channel|22|"; http_client_body; content:"|22|deviceBrand|22|"; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000004; rev:1;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Easemob-SDK mobile app service plaintext authentication"; flow:to_server,established; content:"POST"; http_method; content:"/xlsummary/toekn"; fast_pattern:only; http_uri; content:"User-Agent: Easemob-SDK"; http_header; content:"|22|password|22|"; http_client_body; content:"|22|username|22|"; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000005; rev:1;)
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER winip7en fake Windows prize redirection information exposure"; flow:to_server,established; content:"GET"; http_method; content:"/winip7en_win.html?"; fast_pattern:only; http_uri; content:"isp="; http_uri; content:"&model="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000016; rev:1;)
>> 
>> Thanks.
>> YM
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
>> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>> 
>> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>> 
>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>> 
>> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180517/f5fe22fe/attachment-0001.html>


More information about the Snort-sigs mailing list