[Emerging-Sigs] Rules for detect Oneplus sending data to open.oneplus.net

Felipe Naves fnaves at emergingthreatspro.com
Wed Dec 6 02:54:17 HST 2017


Hi Arnold,

We made two signatures to cover DNS and HTTP, these will go on today's 
ruleset.

Thanks,

-Felipe


Em 05/12/2017 23:40, Arnold Chan escreveu:
>
>
>
> Hi,
>
> Is that possible to create rules that'll be useful to detect OnePlus 
> phone that possible trigger the data leakage dns (Oneplus sending data 
> to open.oneplus.net <http://open.oneplus.net>)?
>
> https://thehackernews.com/2017/10/oneplus-oxygenos-analytics-data.html
> https://thehackernews.com/2017/11/oneplus-root-exploit.html
>
>
> I recall there's something similar for Xiaomi phone data leakage DNS 
> policy rule.
>
> alert udp any any -> any 53 (msg:"ET POLICY possible Xiaomi phone data 
> leakage DNS"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; 
> offset:2; content:"|03|api|07|account|06|xiaomi|03|com|00|"; 
> fast_pattern; nocase; distance:0; 
> reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html 
> <http://thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html>; 
> classtype:policy-violation; sid:2018918; rev:1; metadata:created_at 
> 2014_08_11, updated_at 2014_08_11;)
>
>
>
> Kind Regards,
>
> Arnold
>
> IMPORTANT: This email and any attachments may be confidential and 
> privileged. If you have received this email in error, please contact 
> the sender and delete all copies immediately. Any unauthorised use, 
> dissemination, forwarding, printing, or copying of this email is 
> strictly prohibited. This communication may contain confidential or 
> copyright information.
>
> Tree Think before you print.
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171206/24a4fa14/attachment.html>


More information about the Emerging-sigs mailing list