Snort mailing list archives
Re: [Emerging-Sigs] Browser Extension Hijack sigs
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Mon, 13 May 2013 12:38:45 -0500
Nice! Have you seen be anything other than googleusercontent.com or mozilla.org? Also it seems that both of these ship add-ons over ssl at least in my limited testing, have you seen something to the contrary? Regards, Will On Mon, May 13, 2013 at 12:02 PM, James Lay <jlay () slave-tothe-box net>wrote:
http://blogs.technet.com/b/**mmpc/archive/2013/05/10/** browser-extension-hijacks-**facebook-profiles.aspx<http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx> I created the firefox plugin sigs a while ago (fixed): alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Firefox Plugin install"; flow:to_server,established; content:"mozilla"; http_header; content:".xpi"; http_uri; reference:url,http://research.** zscaler.com/2012/09/how-to-**install-silently-malicious.**html<http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html>; classtype:bad-unknown; sid:10000029; rev:2) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Possible Firefox Plugin install from non-trusted source"; flow:to_server,established; content:!"mozilla"; http_header; content:".xpi"; http_uri; reference:url,http://research.** zscaler.com/2012/09/how-to-**install-silently-malicious.**html<http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html>; classtype:bad-unknown; sid:10000030; rev:2) These should match with Chrome: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Chrome Plugin install"; flow:to_server,established; content:"googleusercontent"; http_header; content:"|2f|crx|2f|blobs"; http_uri; reference:url, http://blogs.**technet.com/b/mmpc/archive/**2013/05/10/browser-extension-* *hijacks-facebook-profiles.aspx<http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx> **; classtype:bad-unknown; sid:10000054; rev:1) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Possible Chrome Plugin install from non-trusted source"; flow:to_server,established; content:!"googleusercontent"; http_header; content:"|2f|crx|2f|blobs"; http_uri; reference:url,http://blogs.**technet.com/b/mmpc/archive/** 2013/05/10/browser-extension-**hijacks-facebook-profiles.aspx<http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx> **; classtype:bad-unknown; sid:10000055; rev:1) Enjoy James ______________________________**_________________ Emerging-sigs mailing list Emerging-sigs@lists.**emergingthreats.net<Emerging-sigs () lists emergingthreats net> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Browser Extension Hijack sigs James Lay (May 13)
- Re: [Emerging-Sigs] Browser Extension Hijack sigs Will Metcalf (May 13)
- Re: [Emerging-Sigs] Browser Extension Hijack sigs James Lay (May 13)
- Re: [Emerging-Sigs] Browser Extension Hijack sigs James Lay (May 13)
- Re: [Emerging-Sigs] Browser Extension Hijack sigs Will Metcalf (May 13)