[Emerging-Sigs] detect SSTP tunnel
rmkml at yahoo.fr
Tue Oct 4 09:55:52 EDT 2011
First, thx to HSC for published/shared news,
ok second, if sstp it's over ssl: crypted (look MiTM).
but if internal browser use proxy web, look this rule for detect new http method used by SSTP:
alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern;
reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr; classtype:web-application-activity; sid:x; rev:1;)
Check/adapt snort variables of course.
More information about the Emerging-sigs