Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ultrasurf and Hotspot Shield pattern

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 23 May 2013 10:06:16 -0400
On 5/23/2013 04:13, Ozgur Karatas wrote:

Hello all,

I using Snort (Version 2.9.3.1 IPv6 GRE (Build 40)) and I try Snort IPQ
mode:

$ iptables -A FORWARD -j QUEUE $ snort -d -D --daq ipq -Q -c
/etc/snort/snort.conf

Snort sniffed incoming and outgoing TCP/UDP traffic. My Snort server running
bridge mode. How can I stop ultrasurf and hotspotshield traffic? I dont
formulate to snort pattern.


RE: ultrasurf
you can't really... maybe with a man-in-the-middle configuration but who wants 
to go thru all that? some corporations do, though... in reality, the best you 
can do is to enforce company policy and remove the ultrasurf executable from 
users machines (AD logon scripts anyone?)... here are some links concerning 
ultrasurf courtesy of uncle google... there should be enough pointers in there 
to help you get started ;)

http://wiki.mikrotik.com/wiki/How_to_Detect_and_Block_UltraSurf_program_traffic

http://yro.slashdot.org/story/09/10/26/1241238/ultrasurf-easily-blocked-but-so-what


RE: hotspotshield
basically the same as above...

http://community.spiceworks.com/topic/277623-best-way-to-block-hotspot-shield-and-other-unwanted-proxy-vpn-style-software

http://www.minecraftforum.net/topic/1409776-block-hotspot-shieldanchorfree-vpn/


basically it comes down to trying to apply tech to control social problems and 
that's always going to be fraught with failure... to combat these situations, 
there needs to be corporate policy in place prohibiting these activities and 
that policy must be enforced... using tech to detect and track these violations 
is needed but there must still be an enforced policy in place once the violators 
have been identified and the evidence built against their activities...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: