Re: [Emerging-Sigs] Browser Extension Hijack sigs

[James Lay <jlay () slave-tothe-box net>]

On 2013-05-13 11:38, Will Metcalf wrote:
> Nice! Have you seen be anything other than googleusercontent.com [9]
> or mozilla.org [10]? Also it seems that both of these ship add-ons
> over ssl at least in my limited testing, have you seen something to
> the contrary?
>
> Regards,
>
> Will

Yea...legit extensions go via https so we can poopcan:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Firefox Plugin install"; flow:to_server,established; content:"mozilla"; 
http_header; content:".xpi"; http_uri; 
reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; 
classtype:bad-unknown; sid:10000029; rev:1)

and

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Chrome Plugin install"; flow:to_server,established; 
content:"googleusercontent"; http_header; content:"|2f|crx|2f|blobs"; 
http_uri; 
reference:url,http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; 
classtype:bad-unknown; sid:10000054; rev:1)

The other two *might* be useful...neither article really shows http or 
https :(  Thanks Will for catching the details I miss :)

James



------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!