Couple sigs - Firefox plugins

[James Lay <jlay () slave-tothe-box net>]

Hey all,

Here's what I got:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Firefox Plugin install"; flow:to_server,established; content:"mozilla"; 
http_uri; content:".xpi"; http_uri; 
reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; 
classtype:bad-unknown; sid:10000029; rev:1)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
Possible Firefox Plugin install from non-trusted source"; 
flow:to_server,established; content:!"mozilla"; http_uri; 
content:".xpi"; http_uri; 
reference:url,http://research.zscaler.com/2012/09/how-to-install-silently-malicious.html; 
classtype:bad-unknown; sid:10000030; rev:1)

My only thought to these is that the second could FP on a link that 
contains ".xpi".  Tried to pcre it up with pcre:"/\.xpi$/i"; but that 
caused the rule not to fire, so maybe I could get an assist with that.  
Sanity check was good, tested the first one and it works, but not the 
second (untrusted Firefox plugins be no bueno).  Thanks all.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!