Snort mailing list archives
Re: detect SSTP tunnel
From: rmkml <rmkml () yahoo fr>
Date: Wed, 5 Oct 2011 21:18:13 +0200 (CEST)
Hi Joel, sorry, nothing. script (python) on reference links use ssl over 443, I have created this specific rule. VRT has worked on SSTP protocol please? Best Regards Rmkml http://twitter.com/rmkml On Wed, 5 Oct 2011, Joel Esler wrote:
rmkml, Do you have a pcap for this? Or just the reference? -- J On Tue, Oct 4, 2011 at 9:55 AM, rmkml <rmkml () yahoo fr> wrote: Hi, First, thx to HSC for published/shared news, ok second, if sstp it's over ssl: crypted (look MiTM). but if internal browser use proxy web, look this rule for detect new http method used by SSTP: alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern; reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr; classtype:web-application-activity; sid:x; rev:1;) Check/adapt snort variables of course. Regards Rmkml http://twitter.com/rmkml
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- detect SSTP tunnel rmkml (Oct 04)
- Re: detect SSTP tunnel Joel Esler (Oct 05)
- Re: detect SSTP tunnel rmkml (Oct 05)
- Re: detect SSTP tunnel Joel Esler (Oct 05)