Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Offer a new sig for detecting possible wpad Name Collision

From: rmkml <rmkml () ligfy org>
Date: Mon, 30 May 2016 20:57:29 +0200 (CEST)
Hi,

The http://etplc.org open source project offer a new sig for detecting possible wpad Name Collision:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Host wpad. possible Name Collision attempt";
flow:to_server,established; content:"Host|3a| wpad."; nocase; http_header; 
reference:url,www.verisign.com/assets/labs/MitM-Attack-by-Name-Collision-Cause-Analysis-and-WPAD-Vulnerability-Assessment-in-the-New-gTLD-Era.pdf;
reference:url,www.us-cert.gov/ncas/alerts/TA16-144A; 
classtype:misc-attack; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.

Regards
@Rmkml

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: