rmkml,<div><br></div><div>Do you have a pcap for this?  Or just the reference?</div><div><br></div><div>--</div><div>J</div><div><br><div class="gmail_quote">On Tue, Oct 4, 2011 at 9:55 AM, rmkml <span dir="ltr"><<a href="mailto:rmkml@...174...">rmkml@...174...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi,<br>
First, thx to HSC for published/shared news,<br>
ok second, if sstp it's over ssl: crypted (look MiTM).<br>
<br>
but if internal browser use proxy web, look this rule for detect new http method used by SSTP:<br>
  alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern;<br>
reference:url,<a href="http://www.hsc.fr/ressources/breves/sstp.html.fr" target="_blank">http://www.hsc.fr/ressources/breves/sstp.html.fr</a>; classtype:web-application-activity; sid:x; rev:1;)<br>
Check/adapt snort variables of course.<br>
<br>
Regards<br>
Rmkml<br>
<a href="http://twitter.com/rmkml" target="_blank">http://twitter.com/rmkml</a><br>
<br>
------------------------------------------------------------------------------<br>
All the data continuously generated in your IT infrastructure contains a<br>
definitive record of customers, application performance, security<br>
threats, fraudulent activity and more. Splunk takes this data and makes<br>
sense of it. Business sense. IT sense. Common sense.<br>
<a href="http://p.sf.net/sfu/splunk-d2dcopy1" target="_blank">http://p.sf.net/sfu/splunk-d2dcopy1</a><br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...639...forge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
<br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
</blockquote></div><br></div>