Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: detect SSTP tunnel

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 5 Oct 2011 11:03:08 -0400
rmkml,

Do you have a pcap for this?  Or just the reference?

--
J

On Tue, Oct 4, 2011 at 9:55 AM, rmkml <rmkml () yahoo fr> wrote:


Hi,
First, thx to HSC for published/shared news,
ok second, if sstp it's over ssl: crypted (look MiTM).

but if internal browser use proxy web, look this rule for detect new http
method used by SSTP:
 alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel";
flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16;
offset:0; fast_pattern;
reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr;
classtype:web-application-activity; sid:x; rev:1;)
Check/adapt snort variables of course.

Regards
Rmkml
http://twitter.com/rmkml


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: