Snort mailing list archives
Re: detect SSTP tunnel
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 5 Oct 2011 11:03:08 -0400
rmkml, Do you have a pcap for this? Or just the reference? -- J On Tue, Oct 4, 2011 at 9:55 AM, rmkml <rmkml () yahoo fr> wrote:
Hi, First, thx to HSC for published/shared news, ok second, if sstp it's over ssl: crypted (look MiTM). but if internal browser use proxy web, look this rule for detect new http method used by SSTP: alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern; reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr; classtype:web-application-activity; sid:x; rev:1;) Check/adapt snort variables of course. Regards Rmkml http://twitter.com/rmkml ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- detect SSTP tunnel rmkml (Oct 04)
- Re: detect SSTP tunnel Joel Esler (Oct 05)
- Re: detect SSTP tunnel rmkml (Oct 05)
- Re: detect SSTP tunnel Joel Esler (Oct 05)