Last active
August 29, 2015 14:12
-
-
Save LeeBrotherston/523ffbc02f2407fd213c to your computer and use it in GitHub Desktop.
Snort Rule - Suspected TCP Injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others. | |
| It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this. | |
| For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This searches for the string "PerfTech" in the HTTP headers. The PerfTech appliance which is used by ISPs to inject packets into TCP sessions often redirects users to pages hosted on the appliance, which identifies itself with the server string "PerfTech". | |
| One potential false positive is if you are administering a PerfTech device, however if this is the case you are probably aware of this already. | |
| For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Alerts on the header combination of the plz do not cache HTTP response header trifecta of Cache-Control, Expires and Pragma whilst not including the Server header. | |
| This is within the standards, however I have observed this to commonly be the case in certain types of packet injection. Can be noisy and prone to false positives. | |
| For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Alerts to a webserver that it has recieved a RST+PSH+ACK packet from a client. This can be the case when a man in the middle has injected a packet to reset the connection from the server perspective so that spoofed responses from the server can be sent back to the client. | |
| For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| A SuperFish infected client connects using a seemingly specific combination of ciphersuites which can be observed during the SSL handshake..... http://blog.squarelemon.com/blog/2015/02/20/superfish-detection/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Privdog detected on the basis of the CipherSuite combination used when it makes SSL connections (like SuperFish, Privdog uses it's own SSL client to connect) http://blog.squarelemon.com/blog/2015/02/23/privdog-detection/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GeniusBox detected on the basis of the CipherSuite combination used when it makes SSL connections (like SuperFish & Privdog uses it's own SSL client to connect) http://blog.squarelemon.com/blog/2015/02/23/privdog-detection/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment