alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:2;)

Added 2012-09-07 20:28:04 UTC


Topic revision: r1 - 2012-09-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats