Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: blocking Google Desktop

From: sekure <sekure () gmail com>
Date: Tue, 14 Feb 2006 13:23:38 -0500
I believe it is per TCP session, but don't quote me on that.  Actually
now that i think about it, if it indeed is per TCP session then the
second rule will not trigger, since the SSL connection will be a part
of a different session.

I am not 100% sure though.  Try it out and let us know. You might want
to post to snort-sigs or snort-users and see if they are more helpful.

On 2/14/06, Michael Holstein <michael.holstein () csuohio edu> wrote:

The first rule would get flowbits:noalert; flowbits:set,google.user.agent;
And the second rule would get flowbits:isset,google.user.agent;


Is that global (if #1, then always #2), or is it "per-IP" ?

I verified I can block the SSL session setup using the snort sig I
posted the other day .. but it kills any Google SSL (gmail, groups,
etc.) .. which is fine, provided I can only block google SSL to users
that are running the desktop.

~Mike.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: