Snort mailing list archives

Previous By Date Next
Previous By Thread Next

detect SSTP tunnel

From: rmkml <rmkml () yahoo fr>
Date: Tue, 4 Oct 2011 15:55:52 +0200 (CEST)
Hi,
First, thx to HSC for published/shared news,
ok second, if sstp it's over ssl: crypted (look MiTM).

but if internal browser use proxy web, look this rule for detect new http method used by SSTP:
  alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; 
content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern; 
reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr; classtype:web-application-activity; sid:x; rev:1;)
Check/adapt snort variables of course.

Regards
Rmkml
http://twitter.com/rmkml

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: