cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

11139
Views
0
Helpful
8
Replies
stownsend
Explorer

MALWARE-OTHER self-signed SSL certificate only allow from Source or To Destination?

We have Recently setup the FireSIGHT Server and are now getting 100's of the MALWARE-OTHER self-signed SSL certificate Alerts.   The Source and Destination IPs are from Nest's DropCam Services and our DropCams.  I'd like to Keep the system Alerting me to these kinds of events, though want it to Ignore the alerts when the destination is one of the 10 DropCams we have.  Any Suggestions on this would be great!

 

Thank you

 

Timestamp        : 2015-08-12 10:37:23

Protocol         : tcp

Alert Message    : MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (1:19551:6)

Session          : 52.6.210.94:443 -> 10.1.3.174:57446

8 REPLIES 8
Nicholas Penning
Beginner

I have witnessed the same. A variety of different foreign countries are reported.

 

Contents:

 

..............E....u@.@...S7A........W.XT..7..P..h........J...F.._..C.-..T....R|\..z...?...Pl<<9. .....WF.-..IPy~.Y..+!q...<.....n.
................0...0..R........0
..*.H..
.....0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS0..
070822065042Z.
120821065042Z0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS0..0
..*.H..
.........0..........
.'..tiz...I]u...=....H.P....%
wNu*;:.>.O%_.4o\.n.w...0......2....tt
..S.{.K.....N4*;.J....i}.p..|.*I.>..B*......p.,.(1.R..y........0..0...U......t.4...3];-.]..I.'...0....U.#.~0|..t.4...3];-.]..I.'....a._0]1.0...U....AU1.0...U...
Some-State1!0...U.
..Internet Widgits Pty Ltd1.0...U...
TS Series NAS...0...U....0....0
..*.H..
.........8.&...Z..........O.R.....MR@ G.^.."gh...rZ.a..D......U.b.B.p.....`....[../.Z.....c.3...p..L2..&.M.Q...J9j....`./........={>...kM...............F

 

I'm getting this alert too.  My alert doesn't seem to be tied to any particular application or country but keeps flagging for the same root CA.  Our own.  So I'm getting this alert more than a few times a day. 

The Alert is really saying that a Device is communicating via SSL using a Gerneric Certificate that is not 'real' and is using a Test Certificate. 

I think I ended up having to Disable the rule all together as the DropCams use  Amazons Elastic Computing and the IP Addresses kept changing. 

Yes also a problem with our AWS servers.  

stownsend
Explorer

I have opened a TAC Case for this. 

 

Buried in the Policies, Intrusion Policy, Initial-Inline, Policy Layers, My Changes, Rules, Category, Malware-Other,

Select

SID 19551 MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name

Click Show Details Button.

There is a Section Called Suppressions.

You can Suppress the Rule itself, or for Specific Source and Destinations. 

I setup 2 Network Groups, one for the DropCams, one for the Already Blocked DropCam Servers. then created a Variable for each added those to the default set, then added as both the Source and Destination the Variables for the cameras and servers.   That didn't help the issue, though the TAC Engineer said it should of. 

We Tried with Specific IP addresses vs the Variables/Groups and has the same results. 

For a Temp Fix to get the Cameras working we added an Access Control Policy that 'Trusted'  the Cams/Servers on Port 443 for both Source/Dest. 

I understand the rule and the significance. The recommendation is to have the rule set to block. I am just trying to rule out a Dyre Trojan or any other type of malware using this. In this specific example it appears that the source IP is from Spain and according to the Firewall, its Skype; P2P communication.

I will have to do some more checking, but I believe this traffic is tied to using Consumer Skype. There are too many source/destinations to Suppress this rule so I might as well disable. I will keep it at Drop and Generate just to be on the safe side. But I would like to know how this packet looks when it is a known malware trying to use the certificate.

Thanks.

Interesting, Its only been the DropCams that have triggered this rule for us. I guess I should feel Fortunate. (-;

bachi.chow
Beginner

Yes for me i am observing this signature from AT&T and Microsoft,Amazone AWS and many ...this is rule is very noise.

what kind of attack the attacker can do, if i am not monitoring this kind of traffic(i mean if we disabled this rule SID:19551.?

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad