This page contains an overview of any detection and mitigation software regarding the SpookySSL vulnerability. On this page NCSC-NL will maintain a list of all known rules to detect SpookySSL presence or (suspected) exploitation. Furthermore, any references will contain specific information regarding detection and mitigation.
NCSC-NL has not verified the rules and software listed below and therefore cannot guarantee the validity of said rules. However, NCSC-NL strives to provide rules and detection and mitigation software from reliable sources.
Rule from Fox-IT Security Research Team:
alert tls any any -> any any (msg:"FOX-SRT - Exploit - Possible SpookySSL Certificate Observed (CVE-2022-3602)"; \
flow:established; \
content:"|2b 06 01 05 05 07 08 09|"; fast_pattern; \
content:"|06 03 55 1d 1e|"; content:"xn--"; \
content:!"|81|"; distance:-6; within:1; byte_test:2,>=,500,-6,relative; \
classtype:attempted-user; threshold:type limit,track by_src,count 1,seconds 3600; \
reference:url,www.openssl.org/news/secadv/20221101.txt; \
reference:url,https://github.com/fox-it/spookyssl-pcaps; \
metadata:ids suricata; \
metadata:created_at 2022-11-02; sid:21004268; rev:3;)
| PCAP | Description |
|---|---|
| spookyssl-windowscrash.pcap | Created using the Windows Crash PoC from DataDog |
| spookyssl-malicious_client.pcap | Created using the malicious_client PoC from DataDog |
| spookyssl-malicious_server.pcap | Created using the malicious_server PoC from DataDog |
| not-spookyssl-certificate.pcap | Legitimate punycode certificate (not malicous) |
For further context, see https://github.com/fox-it/spookyssl-pcaps