[Snort-users] Snort and IM

JJ Cummings cummingsj at ...11827...
Mon Feb 18 19:56:17 EST 2013


And as another matter of point, start to familiarize yourself with tools like wireshark.... You would be able to analyze the contents that you were trying to detect and easily identify where the issue lies... I.E. encrypted (ssl) or invalid content matches etc etc...

JJC

Sent from the iRoad

On Feb 18, 2013, at 17:33, Joel Esler <jesler at ...1935...> wrote:

> There are commercial ssl decryptors which will pass the unencrypted traffic to Snort. 
> 
> --
> Joel Esler
> Sent from my iPhone 
> 
> On Feb 18, 2013, at 3:41 PM, Josh Bitto <jbitto at ...16055...> wrote:
> 
>> oO I didn’t know teamspeak used ssl….ok that explains a lot….
>>  
>> Thank you!
>>  
>> I’m wondering why they created a rule set for tcp if the standard is in ssl….
>>  
>>  
>>  
>> From: Dustin Webber [mailto:dustin.webber at ...11827...] 
>> Sent: Monday, February 18, 2013 12:39 PM
>> To: Josh Bitto
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Snort and IM
>>  
>> Yea, that will be the same story. :(
>>  
>> On Feb 18, 2013, at 2:37 PM, Josh Bitto <jbitto at ...16055...> wrote:
>> 
>> 
>> Ok so what about teamspeak?
>>  
>>  
>>  
>> From: Dustin Webber [mailto:dustin.webber at ...11827...] 
>> Sent: Monday, February 18, 2013 12:36 PM
>> To: Josh Bitto
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Snort and IM
>>  
>> But like I said.. facebook is over ssl by default.. so you wont see this. only the initial request.
>>  
>>  
>> On Feb 18, 2013, at 2:32 PM, Josh Bitto <jbitto at ...16055...> wrote:
>> 
>> 
>> 
>> OH wait….hahaha…..brain fart….I see what your saying put /ajax/mercury/send_messages.php
>>  
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/mercury/send_messages.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:3;)
>>  
>> From: Dustin Webber [mailto:dustin.webber at ...11827...] 
>> Sent: Monday, February 18, 2013 12:28 PM
>> To: Josh Bitto
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Snort and IM
>>  
>> Josh, 
>>  
>> Looks like this rule is just out of date. The post URL I see for this is `/ajax/mercury/send_messages.php` try that.
>>  
>> On Feb 18, 2013, at 2:21 PM, Josh Bitto <jbitto at ...16055...> wrote:
>> 
>> 
>> 
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:3;)
>> 
>> 
>> 
>> This rule is the one that was downloaded from snort.org....I don't have any custom rule sets.
>> 
>> I'm able to go to facebook chat and chat up a storm with someone I know and I don't even get an alert on it.
>> 
>> 
>> 
>> ________________________________________
>> From: Dustin Webber [dustin.webber at ...11827...]
>> Sent: Monday, February 18, 2013 12:18 PM
>> To: Josh Bitto
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Snort and IM
>> 
>> What does your rule look like. Also, isn't that ssl traffic? Are you looking for connections to a certain domain?
>> 
>> Anyway, lets see the rule and in sure we can get this going.
>> 
>> On Feb 18, 2013, at 2:04 PM, Josh Bitto <jbitto at ...16055...<mailto:jbitto at ...16055...>> wrote:
>> 
>> I’m having issues where I can’t get the emerging threat rules to fire on instant messaging or logging into teamspeak 3……I know that both my WAN and LAN are working because of other tests that I have conducted. Any ideas on my next course of action to fix the issue?
>> 
>> 
>> ------------------------------------------------------------------------------
>> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
>> is your hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials, tech docs,
>> whitepapers, evaluation guides, and opinion stories. Check out the most
>> recent posts - join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...et>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>  
>> ------------------------------------------------------------------------------
>> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
>> is your hub for all things parallel software development, from weekly thought 
>> leadership blogs to news, videos, case studies, tutorials, tech docs, 
>> whitepapers, evaluation guides, and opinion stories. Check out the most 
>> recent posts - join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
> is your hub for all things parallel software development, from weekly thought 
> leadership blogs to news, videos, case studies, tutorials, tech docs, 
> whitepapers, evaluation guides, and opinion stories. Check out the most 
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130218/0f5ce8ba/attachment.html>


More information about the Snort-users mailing list