topic I have witnessed the same. A in Network Security

MALWARE-OTHER self-signed SSL certificate only allow from Source or To Destination?

stownsend — Tue, 12 Mar 2019 12:44:27 GMT

We have Recently setup the FireSIGHT Server and are now getting 100's of the MALWARE-OTHER self-signed SSL certificate Alerts. The Source and Destination IPs are from Nest's DropCam Services and our DropCams. I'd like to Keep the system Alerting me to these kinds of events, though want it to Ignore the alerts when the destination is one of the 10 DropCams we have. Any Suggestions on this would be great!

Thank you

Timestamp : 2015-08-12 10:37:23

Protocol : tcp

Alert Message : MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (1:19551:6)

Session : 52.6.210.94:443 -> 10.1.3.174:57446

I have witnessed the same. A

Nicholas Penning — Thu, 20 Aug 2015 23:15:25 GMT

I have witnessed the same. A variety of different foreign countries are reported.

Contents:

..............E....u@.@...S7A........W.XT..7..P..h........J...F.._..C.-..T....R|\..z...?...Pl<<9. .....WF.-..IPy~.Y..+!q...<.....n.
................0...0..R........0
..*.H..
.....0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS0..
070822065042Z.
120821065042Z0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS0..0
..*.H..
.........0..........
.'..tiz...I]u...=....H.P....%
wNu*;:.>.O%_.4o\.n.w...0......2....tt
..S.{.K.....N4*;.J....i}.p..|.*I.>..B*......p.,.(1.R..y........0..0...U......t.4...3];-.]..I.'...0....U.#.~0|..t.4...3];-.]..I.'....a._0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS...0...U....0....0
..*.H..
.........8.&...Z..........O.R.....MR@ G.^.."gh...rZ.a..D......U.b.B.p.....`....[../.Z.....c.3...p..L2..&.M.Q...J9j....`./........={>...kM...............F

I have opened a TAC Case for

stownsend — Thu, 20 Aug 2015 23:16:23 GMT

I have opened a TAC Case for this.

Buried in the Policies, Intrusion Policy, Initial-Inline, Policy Layers, My Changes, Rules, Category, Malware-Other,

Select

SID 19551 MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name

Click Show Details Button.

There is a Section Called Suppressions.

You can Suppress the Rule itself, or for Specific Source and Destinations.

I setup 2 Network Groups, one for the DropCams, one for the Already Blocked DropCam Servers. then created a Variable for each added those to the default set, then added as both the Source and Destination the Variables for the cameras and servers. That didn't help the issue, though the TAC Engineer said it should of.

We Tried with Specific IP addresses vs the Variables/Groups and has the same results.

For a Temp Fix to get the Cameras working we added an Access Control Policy that 'Trusted' the Cams/Servers on Port 443 for both Source/Dest.

I understand the rule and the

Nicholas Penning — Thu, 20 Aug 2015 23:29:28 GMT

I understand the rule and the significance. The recommendation is to have the rule set to block. I am just trying to rule out a Dyre Trojan or any other type of malware using this. In this specific example it appears that the source IP is from Spain and according to the Firewall, its Skype; P2P communication.

I will have to do some more checking, but I believe this traffic is tied to using Consumer Skype. There are too many source/destinations to Suppress this rule so I might as well disable. I will keep it at Drop and Generate just to be on the safe side. But I would like to know how this packet looks when it is a known malware trying to use the certificate.

Thanks.

Interesting, Its only been

stownsend — Thu, 20 Aug 2015 23:33:43 GMT

Interesting, Its only been the DropCams that have triggered this rule for us. I guess I should feel Fortunate. (-;

I'm getting this alert too.

David.Weber1 — Thu, 05 Nov 2015 13:38:27 GMT

I'm getting this alert too. My alert doesn't seem to be tied to any particular application or country but keeps flagging for the same root CA. Our own. So I'm getting this alert more than a few times a day.

The Alert is really saying

stownsend — Thu, 05 Nov 2015 13:48:17 GMT

The Alert is really saying that a Device is communicating via SSL using a Gerneric Certificate that is not 'real' and is using a Test Certificate.

I think I ended up having to Disable the rule all together as the DropCams use Amazons Elastic Computing and the IP Addresses kept changing.

Yes also a problem with our

David.Weber1 — Thu, 05 Nov 2015 15:19:35 GMT

Yes also a problem with our AWS servers.

Yes for me i am observing

bachi.chow — Tue, 08 Mar 2016 03:49:18 GMT

Yes for me i am observing this signature from AT&T and Microsoft,Amazone AWS and many ...this is rule is very noise.

what kind of attack the attacker can do, if i am not monitoring this kind of traffic(i mean if we disabled this rule SID:19551.?