Comodo Fraudulent SSL Certificate detection rule

가짜인증서 사진입니다.

 

 

 

emerging threat의 룰은 다음과 같다.

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:”ET CURRENT_EVENTS Known Fraudulent SSL Certificate for addons.mozilla.org”; flow:established,from_server; content:”|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|”; content:”addons.mozilla.org”; within:250; classtype:misc-activity; sid:2012546; rev:3;)

그런데 걱정되는 부분은 within이 250. 짧다는 생각이 든다.

여러 https 사이트를 통계냈을경우 subject가 250안에 들어가지 않는 경우도 있더라는.

물론 발행된 가짜 인증서를 https를 통해서 분석하는게 가장빠를 것이지만….

within 값을 300으로 주면 다음과 같이 룰을 만들수 있다.

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f 43|”; content:”addons.mozilla.org”; nocase; distance:0; within:300;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|”; content:”Global Trustee”; nocase; distance:0; within:300;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|”; content:”login.live.com”; nocase; distance:0; within:300;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|”; content:”login.skype.com”; nocase; distance:0; within:300;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|”; content:”login.yahoo.com”; nocase; distance:0; within:300;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|”; content:”login.yahoo.com”; nocase; distance:0; within:300;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|”; content:”login.yahoo.com”; nocase; distance:0; within:300;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|”; content:”mail.google.com”; nocase; distance:0; within:300;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (flow:established, to_client; content:”|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|”; content:”www.google.com”; nocase; distance:0; within:300;)

Advertisements

About this entry