One attack avenue for an organization that the US-CERT is currently alerting on is the abuse of Web Proxy Auto-Discovery in order to hijack traffic by directing a web browser to a proxy they own.
The technical details are available at: https://www.us-cert.gov/ncas/alerts/TA16-144A
There are three avenues of detection I am aware of:
1) Detecting a DNS query with "wpad." in the content. This does not appear possible with the current custom signature engine, as there is not a 7 byte static anchor to signature off of.
2) Detecting an HTTP transaction in which the content of the "Host" header starts with "wpad."
3) Detecting an HTTP transaction in which the URI contains "wpad.dat"
I've written a custom signature that covers points 2 and 3 to illustrate what is possible.
This signature was written as an example to illustrate what the custom signature engine can do. It has minimal testing in a production environment, and is meant as a pivot point for creating your own custom protections.
It's also imperative to remember that this signature will be very noisy if it is applied to internal environments, and makes the most sense only applied to traffic destined for the untrust zone.
Have fun, signature enthusiasts!
Thank you for this!!! I see wpad.dat traffic ever 10 minutes from 3 different sources in california. I was able to use URL filtering to block it, but this is a much more precise approach!!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!