Snort mailing list archives
Couple sigs - Firefox plugins
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 26 Sep 2012 08:40:57 -0600
Hey all, Here's what I got: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Firefox Plugin install"; flow:to_server,established; content:"mozilla"; http_uri; content:".xpi"; http_uri; reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:10000029; rev:1) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Possible Firefox Plugin install from non-trusted source"; flow:to_server,established; content:!"mozilla"; http_uri; content:".xpi"; http_uri; reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:10000030; rev:1) My only thought to these is that the second could FP on a link that contains ".xpi". Tried to pcre it up with pcre:"/\.xpi$/i"; but that caused the rule not to fire, so maybe I could get an assist with that. Sanity check was good, tested the first one and it works, but not the second (untrusted Firefox plugins be no bueno). Thanks all. James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Couple sigs - Firefox plugins James Lay (Sep 26)