[Emerging-Sigs] detect SSTP tunnel

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 4 23:46:41 EDT 2011

Nice, thanks rmkml. Posting!


On Oct 4, 2011, at 9:55 AM, rmkml wrote:

> Hi,
> First, thx to HSC for published/shared news,
> ok second, if sstp it's over ssl: crypted (look MiTM).
> but if internal browser use proxy web, look this rule for detect new http method used by SSTP:
>  alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern; 
> reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr; classtype:web-application-activity; sid:x; rev:1;)
> Check/adapt snort variables of course.
> Regards
> Rmkml
> http://twitter.com/rmkml
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/cb16345f/smime.bin

More information about the Emerging-sigs mailing list