[Snort-sigs] GotoMyPC Sig

Matthew Jonkman matt at ...2436...
Tue Jun 8 16:33:01 EDT 2004


Added a simple sig to the bleeding rules to detect the GotoMyPC polling 
that a client does when it's available to be connected to.

I actually spent a half an hour figuring out and writing the rule, only 
to find someone had posted an almost identical rule a couple years ago. 
So I've added them to the Bleeding set to hopefully prevent anyone else 
from wasting their time as I did so well.

I'd like to write a rule that'll trip when a person connects to a 
gotomypc station as well but so far haven't seen anything unique in the 
traffic. It seems to be all ssl. If anyone has any insight there I'd 
appreciate it.

Here's the polling rule. This will give you tons of hits, so if you have 
authorized gotomypc stations on your net be SURE to write a pass rule 
for those. Fair warning. :)

alert tcp any any -> 66.151.158.177 any (msg:"BLEEDING-EDGE GotoMyPC 
Polling Client"; rev:1; sid:2000307;)

It's up at http://www.bleedingsnort.com as well.

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.





More information about the Snort-sigs mailing list