Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Snort Rule - Suspected TCP Injection
A window size of 1 and the abscence of the do not fragment bit is consistent with observed injected packets from the Perftech bulletin system, amongst others.
It does not of course guarantee injection has taken place as it is possible to generate this type of packet legitimately, however I have yet to experience a false positive with this.
For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/
This searches for the string "PerfTech" in the HTTP headers. The PerfTech appliance which is used by ISPs to inject packets into TCP sessions often redirects users to pages hosted on the appliance, which identifies itself with the server string "PerfTech".
One potential false positive is if you are administering a PerfTech device, however if this is the case you are probably aware of this already.
For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/
Alerts on the header combination of the plz do not cache HTTP response header trifecta of Cache-Control, Expires and Pragma whilst not including the Server header.
This is within the standards, however I have observed this to commonly be the case in certain types of packet injection. Can be noisy and prone to false positives.
For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/
Alerts to a webserver that it has recieved a RST+PSH+ACK packet from a client. This can be the case when a man in the middle has injected a packet to reset the connection from the server perspective so that spoofed responses from the server can be sent back to the client.
For further information on this, please see: http://blog.squarelemon.com/blog/2014/10/29/corporation-in-the-middle/
A SuperFish infected client connects using a seemingly specific combination of ciphersuites which can be observed during the SSL handshake..... http://blog.squarelemon.com/blog/2015/02/20/superfish-detection/
Privdog detected on the basis of the CipherSuite combination used when it makes SSL connections (like SuperFish, Privdog uses it's own SSL client to connect) http://blog.squarelemon.com/blog/2015/02/23/privdog-detection/
GeniusBox detected on the basis of the CipherSuite combination used when it makes SSL connections (like SuperFish & Privdog uses it's own SSL client to connect) http://blog.squarelemon.com/blog/2015/02/23/privdog-detection/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.