Snort mailing list archives
Re: [Emerging-Sigs] Browser Extension Hijack sigs
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 13 May 2013 11:53:57 -0600
On 2013-05-13 11:38, Will Metcalf wrote:
Nice! Have you seen be anything other than googleusercontent.com [9] or mozilla.org [10]? Also it seems that both of these ship add-ons over ssl at least in my limited testing, have you seen something to the contrary? Regards, Will
Yea...legit extensions go via https so we can poopcan: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Firefox Plugin install"; flow:to_server,established; content:"mozilla"; http_header; content:".xpi"; http_uri; reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:10000029; rev:1) and alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Chrome Plugin install"; flow:to_server,established; content:"googleusercontent"; http_header; content:"|2f|crx|2f|blobs"; http_uri; reference:url,http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:10000054; rev:1) The other two *might* be useful...neither article really shows http or https :( Thanks Will for catching the details I miss :) James ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Browser Extension Hijack sigs James Lay (May 13)
- Re: [Emerging-Sigs] Browser Extension Hijack sigs Will Metcalf (May 13)
- Re: [Emerging-Sigs] Browser Extension Hijack sigs James Lay (May 13)
- Re: [Emerging-Sigs] Browser Extension Hijack sigs James Lay (May 13)
- Re: [Emerging-Sigs] Browser Extension Hijack sigs Will Metcalf (May 13)