[Snort-sigs] detect SSTP tunnel

Joel Esler jesler at ...435...
Wed Oct 5 11:03:08 EDT 2011


rmkml,

Do you have a pcap for this?  Or just the reference?

--
J

On Tue, Oct 4, 2011 at 9:55 AM, rmkml <rmkml at ...174...> wrote:

> Hi,
> First, thx to HSC for published/shared news,
> ok second, if sstp it's over ssl: crypted (look MiTM).
>
> but if internal browser use proxy web, look this rule for detect new http
> method used by SSTP:
>  alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel";
> flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16;
> offset:0; fast_pattern;
> reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr;
> classtype:web-application-activity; sid:x; rev:1;)
> Check/adapt snort variables of course.
>
> Regards
> Rmkml
> http://twitter.com/rmkml
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111005/cda85e32/attachment.html>


More information about the Snort-sigs mailing list