Snort Superfish

Om du använder dig av Snort som IDS så kan du använda följande regler för att identifiera Superfish (som vi skrev om här) på nätverket:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SuperFish CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/set.php?ID="; depth:12; http_uri; content:"&Action="; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020489; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SuperFish CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/verify.php?version="; http_uri; fast_pattern:only; content:"&GUID=|7b|"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020490; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020492; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,from_server; content:"|55 04 0a|"; content:"|0f|Superfish, Inc."; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0f|Superfish, Inc."; distance:1; within:16; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:1;)

Reglerna är hämtade från EmergingThreats öppna regler och kan hittas i sin helhet här:

Jonas Lejon

Om Jonas Lejon

En av sveriges främsta experter inom cybersäkerhet med över 20 års erfarenhet. Frågor? Kontakta mig på: [email protected] eller LinkedIn Twitter

Skriv en kommentar