[Snort-sigs] gotomypc.com signature

Chris Green cmg at ...435...
Wed Mar 13 08:55:19 EST 2002


Based on a thread over on the pen-test mailing list and having seen a
few people ask this question before, here's a new rule for
policy.rules

# $Id$
#
# 

Rule:  alert ip 63.251.224.177 any -> $HOME_NET any \
   (msg: "POLICY: poll.gotomypc.com access"; \
    reference: url, www.gotomypc.com/help2.tmpl; )


--
Sid:

--
Summary:  This indicates access from the poll.gotomypc.com machine.
This is used by gotomypc.com as a litmus test to see if a network's
policies allow the use of the remote access of gotomypc.

--
Impact:  This may indicate policy violation of remote access to a
firewalled machine.

--
Detailed Information:  T


--
Attack Scenarios:  Employee installs gotomypc.com software on their
machine and accesses it from home.  Their home machine is compromised
and now the attacker has access to a firewalled workstation.

--
Ease of Attack:  Easy for end users to install the software.

--
False Positives:  Allowed gotomypc access.

--
False Negatives:  If they change the ip for poll.gotomypc.com or
change the way one may block it, this will become a negative.

--
Corrective Action:  Firewall off poll.gotomypc.com and uninstall the
software from the user's machine.

--
Contributors:
Chris Green <cmg at ...435...>

-- 
Additional References:


-- 
Chris Green <cmg at ...435...>
You now have 14 minutes to reach minimum safe distance.





More information about the Snort-sigs mailing list