Hi Yaser,
After reviewing this rule, we have decided not to add it to the community ruleset. While the information that gets leaked can be considered sensitive, they in themselves are not the result of malicious activity. These rules might be more appropriate in a POLICY-OTHER category, however, thats something to be left to individuals. We appreciate your contribution. 

Regards,
Phil Lee
Cisco Talos


On Apr 27, 2018, at 11:04 AM, Phillip Lee <phillile@sourcefire.com> wrote:

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Regards,
Phil Lee
Cisco Talos

On Apr 27, 2018, at 10:38 AM, Y M via Snort-sigs <snort-sigs@lists.snort.org> wrote:

Hi,

The first set of signatures are derived from the reference. The second set of rule(s) triggers against a fake Windows prizes ads. The goal of the detection is to prevent the leakage of user data that these ads SDKs send. Such data can be too revealing.

# Title: Leaking ads

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"POST"; http_method; content:"Package-Name: "; fast_pattern:only; http_header; content:"/qga/"; http_uri; content:"/data/"; http_uri; content:"Content-Type|3A 20|application/json"; http_header; content:"appSecrect|3A 20|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/; classtype:misc-activity; sid:8000000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"GET"; http_method; content:"/m/ad?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&nv="; http_uri; content:"&dn="; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/; classtype:misc-activity; sid:8000001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"GET"; http_method; content:"/getAd?"; fast_pattern:only; http_uri; content:"apid="; http_uri; content:"&ua="; http_uri; content:"&hswd="; http_uri; content:"&uip="; http_uri; content:"&conn="; http_uri; content:"&pkid="; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/; classtype:misc-activity; sid:8000002; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Lenovo mobile app potenial user data leak"; flow:to_server,established; content:"/reaper/server/didsync"; fast_pattern:only; http_uri; content:"sv="; http_client_body; content:"did="; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/; classtype:misc-activity; sid:8000003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Lenovo mobile app potenial user data leak"; flow:to_server,established; content:"/ams/api/register?"; fast_pattern:only; http_uri; content:"l="; http_uri; content:"|7B 22|channel|22|"; http_client_body; content:"|22|deviceBrand|22|"; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/; classtype:misc-activity; sid:8000004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Easemob-SDK mobile app service plaintext authentication"; flow:to_server,established; content:"POST"; http_method; content:"/xlsummary/toekn"; fast_pattern:only; http_uri; content:"User-Agent: Easemob-SDK"; http_header; content:"|22|password|22|"; http_client_body; content:"|22|username|22|"; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/; classtype:misc-activity; sid:8000005; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER winip7en fake Windows prize redirection information exposure"; flow:to_server,established; content:"GET"; http_method; content:"/winip7en_win.html?"; fast_pattern:only; http_uri; content:"isp="; http_uri; content:"&model="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000016; rev:1;)

Thanks.
YM
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!