Snort mailing list archives
Re: Offer a new sig for detecting possible wpad Name Collision
From: Joshua Williams <joshuwi2 () sourcefire com>
Date: Tue, 31 May 2016 09:06:47 -0400
Hi, Thanks for your submission. I'll review and test this rule and get back to you when it's finished. -- Josh Williams Detection Response Team TALOS Security Group On Mon, May 30, 2016 at 2:57 PM, rmkml <rmkml () ligfy org> wrote:
Hi, The http://etplc.org open source project offer a new sig for detecting possible wpad Name Collision: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Host wpad. possible Name Collision attempt"; flow:to_server,established; content:"Host|3a| wpad."; nocase; http_header; reference:url, www.verisign.com/assets/labs/MitM-Attack-by-Name-Collision-Cause-Analysis-and-WPAD-Vulnerability-Assessment-in-the-New-gTLD-Era.pdf ; reference:url,www.us-cert.gov/ncas/alerts/TA16-144A; classtype:misc-attack; sid:1; rev:1;) See reference for more information. Don't forget check variables. Please send any comments. Regards @Rmkml ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Offer a new sig for detecting possible wpad Name Collision rmkml (May 30)
- Re: Offer a new sig for detecting possible wpad Name Collision Joshua Williams (May 31)