[Snort-sigs] detect SSTP tunnel

rmkml rmkml at ...174...
Wed Oct 5 15:18:13 EDT 2011


Hi Joel,
sorry, nothing.
script (python) on reference links use ssl over 443, I have created this specific rule.
VRT has worked on SSTP protocol please?
Best Regards
Rmkml
http://twitter.com/rmkml


On Wed, 5 Oct 2011, Joel Esler wrote:

> rmkml,
> Do you have a pcap for this?  Or just the reference?
> 
> --
> J
> 
> On Tue, Oct 4, 2011 at 9:55 AM, rmkml <rmkml at ...174...> wrote:
>       Hi,
>       First, thx to HSC for published/shared news,
>       ok second, if sstp it's over ssl: crypted (look MiTM).
>
>       but if internal browser use proxy web, look this rule for detect new http method used by SSTP:
>        alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern;
>       reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr; classtype:web-application-activity; sid:x; rev:1;)
>       Check/adapt snort variables of course.
>
>       Regards
>       Rmkml
>       http://twitter.com/rmkml


More information about the Snort-sigs mailing list