Snort Superfish

Om du använder dig av Snort som IDS så kan du använda följande regler för att identifiera Superfish (som vi skrev om här) på nätverket:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SuperFish CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/set.php?ID="; depth:12; http_uri; content:"&Action="; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020489; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SuperFish CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/verify.php?version="; http_uri; fast_pattern:only; content:"&GUID=|7b|"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020490; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020492; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,from_server; content:"|55 04 0a|"; content:"|0f|Superfish, Inc."; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0f|Superfish, Inc."; distance:1; within:16; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:1;)

Reglerna är hämtade från EmergingThreats öppna regler och kan hittas i sin helhet här:

Jonas Lejon

Om Jonas Lejon

En av sveriges främsta cybersäkerhetsexperter med nästan 20 års erfarenhet inom området och en bakgrund från FRA och Försvarsmakten. Kontakta mig gärna på telefonnummer 010 1889848 eller [email protected] om Er organisation behöver hjälp med cybersäkerhet. LinkedIn Twitter

Skriv en kommentar

Du kan använda följande HTML HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>