[Snort-users] Commercial Advanced Packet Sniffers, how do they do this? Application signatures?

Jason Brvenik jasonb at ...1935...
Sat Jan 23 15:40:16 EST 2010

Snort itself has had these capabilities for a long time and they have
been use for various purposes by all manner of folks.

The default VRT rules set has content-replace.rules that would be an
example of this usage. An example from that file (with details
removed) prevents inbound file transfers in AIM.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE AIM
deny in-bound file transfer attempts"; flow:to_client,established;
[...]; replace:"XXXX"; classtype:policy-violation; sid:12037; rev:2;)

The concept is simple once you understand the protocols involved.
Doing the proxy termination is not difficult either as long as you
have control of the clients.

On Fri, Jan 22, 2010 at 3:22 PM, Dimitri Syuoul <dsyuoul at ...11827...> wrote:
> Hello guys,
> I was wondering if anybody could give me feedback on these two
> commercial appliances:
> http://www.paloaltonetworks.com/solutions/app-control.html
> http://www.bluecoat.com/products/sg
> It seems these have two key things a.) proxy for 443/80 with SSL
> termination, and b.) an advanced packet sniffer for all the other
> ports
> Iam interested in B. With over 900 application "signatures" including
> Bittorent, Skype, MSN (which now a days uses multiple ports also)...
> it even lets you block if you want to allow Instant Messaging but not
> allow WebCams inside instant messaging...
> I have been breaking my head for days now and Id like to head from the
> people at snort... how exactly would an appliance be able to
> "signature" all these and manipulate them? As far as I Know the
> community has never seen application signatures.. right?
> Please do not reply this message and say a standard port base blocking
> does this, because we know it doesnt ;-) specially Skype who can
> connect pretty much on any open port available on the client machine.
> Thanks.
> --Dimitri
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for Conference
> attendees to learn about information security's most important issues through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list