Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12187
Views
0
Helpful
8
Replies

MALWARE-OTHER self-signed SSL certificate only allow from Source or To Destination?

stownsend
Level 2
Level 2

‎08-12-2015 10:51 AM - edited ‎03-12-2019 05:44 AM

We have Recently setup the FireSIGHT Server and are now getting 100's of the MALWARE-OTHER self-signed SSL certificate Alerts.   The Source and Destination IPs are from Nest's DropCam Services and our DropCams.  I'd like to Keep the system Alerting me to these kinds of events, though want it to Ignore the alerts when the destination is one of the 10 DropCams we have.  Any Suggestions on this would be great!

 

Thank you

 

Timestamp        : 2015-08-12 10:37:23

Protocol         : tcp

Alert Message    : MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (1:19551:6)

Session          : 52.6.210.94:443 -> 10.1.3.174:57446

5 people had this problem
Labels:
0 Helpful
8 Replies 8

Nicholas Penning
Level 1
Level 1

‎08-20-2015 04:15 PM

I have witnessed the same. A variety of different foreign countries are reported.

 

Contents:

 

..............E....u@.@...S7A........W.XT..7..P..h........J...F.._..C.-..T....R|\..z...?...Pl<<9. .....WF.-..IPy~.Y..+!q...<.....n.
................0...0..R........0
..*.H..
.....0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS0..
070822065042Z.
120821065042Z0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS0..0
..*.H..
.........0..........
.'..tiz...I]u...=....H.P....%
wNu*;:.>.O%_.4o\.n.w...0......2....tt
..S.{.K.....N4*;.J....i}.p..|.*I.>..B*......p.,.(1.R..y........0..0...U......t.4...3];-.]..I.'...0....U.#.~0|..t.4...3];-.]..I.'....a._0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS...0...U....0....0
..*.H..
.........8.&...Z..........O.R.....MR@ G.^.."gh...rZ.a..D......U.b.B.p.....`....[../.Z.....c.3...p..L2..&.M.Q...J9j....`./........={>...kM...............F

 

0 Helpful

David.Weber1
Level 1
Level 1
In response to Nicholas Penning

‎11-05-2015 05:38 AM

I'm getting this alert too.  My alert doesn't seem to be tied to any particular application or country but keeps flagging for the same root CA.  Our own.  So I'm getting this alert more than a few times a day. 

0 Helpful

stownsend
Level 2
Level 2
In response to David.Weber1

‎11-05-2015 05:48 AM

The Alert is really saying that a Device is communicating via SSL using a Gerneric Certificate that is not 'real' and is using a Test Certificate. 

I think I ended up having to Disable the rule all together as the DropCams use  Amazons Elastic Computing and the IP Addresses kept changing. 

0 Helpful

David.Weber1
Level 1
Level 1
In response to stownsend

‎11-05-2015 07:19 AM

Yes also a problem with our AWS servers.  

0 Helpful

stownsend
Level 2
Level 2

‎08-20-2015 04:16 PM

I have opened a TAC Case for this. 

 

Buried in the Policies, Intrusion Policy, Initial-Inline, Policy Layers, My Changes, Rules, Category, Malware-Other,

Select

SID 19551 MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name

Click Show Details Button.

There is a Section Called Suppressions.

You can Suppress the Rule itself, or for Specific Source and Destinations. 

I setup 2 Network Groups, one for the DropCams, one for the Already Blocked DropCam Servers. then created a Variable for each added those to the default set, then added as both the Source and Destination the Variables for the cameras and servers.   That didn't help the issue, though the TAC Engineer said it should of. 

We Tried with Specific IP addresses vs the Variables/Groups and has the same results. 

For a Temp Fix to get the Cameras working we added an Access Control Policy that 'Trusted'  the Cams/Servers on Port 443 for both Source/Dest. 

0 Helpful

Nicholas Penning
Level 1
Level 1
In response to stownsend

‎08-20-2015 04:29 PM

I understand the rule and the significance. The recommendation is to have the rule set to block. I am just trying to rule out a Dyre Trojan or any other type of malware using this. In this specific example it appears that the source IP is from Spain and according to the Firewall, its Skype; P2P communication.

I will have to do some more checking, but I believe this traffic is tied to using Consumer Skype. There are too many source/destinations to Suppress this rule so I might as well disable. I will keep it at Drop and Generate just to be on the safe side. But I would like to know how this packet looks when it is a known malware trying to use the certificate.

Thanks.

0 Helpful

stownsend
Level 2
Level 2
In response to Nicholas Penning

‎08-20-2015 04:33 PM

Interesting, Its only been the DropCams that have triggered this rule for us. I guess I should feel Fortunate. (-;

0 Helpful

bachi.chow
Level 1
Level 1

‎03-07-2016 07:49 PM

Yes for me i am observing this signature from AT&T and Microsoft,Amazone AWS and many ...this is rule is very noise.

what kind of attack the attacker can do, if i am not monitoring this kind of traffic(i mean if we disabled this rule SID:19551.?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card