[Emerging-Sigs] ET POLICY NSPlayer User-Agent - Windows Media Player streaming detected

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 29 14:57:59 EDT 2010


Worth being in there, posting now. Had to modify the reference, but it's good.

Thanks!

Matt

On Oct 29, 2010, at 2:17 PM, L0rd Ch0de1m0rt wrote:

> Hello.  I propose this simple policy rule to alert on people streaming
> media with Windows Media Player:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> NSPlayer User-Agent - Windows Media Player streaming detected";
> flow:established,to_server; content:"User-Agent|3A 20|NSPlayer|2F|";
> http_header; threshold: type limit, track by_src, seconds 300, count
> 1; reference:url,msdn.microsoft.com/en-us/library/cc234851(PROT.10).aspx;
> sid:2011xyz; rev:1;)
> 
> Example HTTP headers:
> 
> Accept: */*
> User-Agent: NSPlayer/11.0.5721.5251
> Host: pubint-wnedfm.wm.llnwd.net
> Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-DEADBEEF0FDA5EA}
> X-Accept-Authentication: Negotiate, NTLM, Digest, Basic
> Pragma: client-id=1887181337
> Pragma: xStopStrm=1
> Content-Length: 0
> 
> We may need to have it disabled by default if it is too noisy but I
> thresholded it so maybe we don't.
> 
> -L0rd C.
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list