Snort mailing list archives
Re: Ads data leaks sigs
From: Phillip Lee <phillile () sourcefire com>
Date: Thu, 17 May 2018 12:07:43 -0400
Hi Yaser, After reviewing this rule, we have decided not to add it to the community ruleset. While the information that gets leaked can be considered sensitive, they in themselves are not the result of malicious activity. These rules might be more appropriate in a POLICY-OTHER category, however, thats something to be left to individuals. We appreciate your contribution. Regards, Phil Lee Cisco Talos
On Apr 27, 2018, at 11:04 AM, Phillip Lee <phillile () sourcefire com> wrote: Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Regards, Phil Lee Cisco TalosOn Apr 27, 2018, at 10:38 AM, Y M via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>> wrote: Hi, The first set of signatures are derived from the reference. The second set of rule(s) triggers against a fake Windows prizes ads. The goal of the detection is to prevent the leakage of user data that these ads SDKs send. Such data can be too revealing. # Title: Leaking ads # Reference: https://securelist.com/leaking-ads/85239/ <https://securelist.com/leaking-ads/85239/> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"POST"; http_method; content:"Package-Name: "; fast_pattern:only; http_header; content:"/qga/"; http_uri; content:"/data/"; http_uri; content:"Content-Type|3A 20|application/json"; http_header; content:"appSecrect|3A 20|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000000; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"GET"; http_method; content:"/m/ad?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&nv="; http_uri; content:"&dn="; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000001; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER mobile ads SDK potential user data leak"; flow:to_server,established; content:"GET"; http_method; content:"/getAd?"; fast_pattern:only; http_uri; content:"apid="; http_uri; content:"&ua="; http_uri; content:"&hswd="; http_uri; content:"&uip="; http_uri; content:"&conn="; http_uri; content:"&pkid="; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000002; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Lenovo mobile app potenial user data leak"; flow:to_server,established; content:"/reaper/server/didsync"; fast_pattern:only; http_uri; content:"sv="; http_client_body; content:"did="; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000003; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Lenovo mobile app potenial user data leak"; flow:to_server,established; content:"/ams/api/register?"; fast_pattern:only; http_uri; content:"l="; http_uri; content:"|7B 22|channel|22|"; http_client_body; content:"|22|deviceBrand|22|"; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000004; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER Easemob-SDK mobile app service plaintext authentication"; flow:to_server,established; content:"POST"; http_method; content:"/xlsummary/toekn"; fast_pattern:only; http_uri; content:"User-Agent: Easemob-SDK"; http_header; content:"|22|password|22|"; http_client_body; content:"|22|username|22|"; http_client_body; metadata:ruleset community, service http; reference:url,securelist.com/leaking-ads/85239/ <http://securelist.com/leaking-ads/85239/>; classtype:misc-activity; sid:8000005; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER winip7en fake Windows prize redirection information exposure"; flow:to_server,established; content:"GET"; http_method; content:"/winip7en_win.html?"; fast_pattern:only; http_uri; content:"isp="; http_uri; content:"&model="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000016; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Ads data leaks sigs Y M via Snort-sigs (Apr 27)
- Re: Ads data leaks sigs Phillip Lee (Apr 27)
- Re: Ads data leaks sigs Phillip Lee (May 17)
- Re: Ads data leaks sigs Phillip Lee (Apr 27)