[Emerging-Sigs] [Snort-sigs] detect SSTP tunnel

rmkml rmkml at yahoo.fr
Wed Oct 5 15:18:13 EDT 2011

Hi Joel,
sorry, nothing.
script (python) on reference links use ssl over 443, I have created this specific rule.
VRT has worked on SSTP protocol please?
Best Regards

On Wed, 5 Oct 2011, Joel Esler wrote:

> rmkml,
> Do you have a pcap for this?  Or just the reference?
> --
> J
> On Tue, Oct 4, 2011 at 9:55 AM, rmkml <rmkml at yahoo.fr> wrote:
>       Hi,
>       First, thx to HSC for published/shared news,
>       ok second, if sstp it's over ssl: crypted (look MiTM).
>       but if internal browser use proxy web, look this rule for detect new http method used by SSTP:
>        alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern;
>       reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr; classtype:web-application-activity; sid:x; rev:1;)
>       Check/adapt snort variables of course.
>       Regards
>       Rmkml
>       http://twitter.com/rmkml

More information about the Emerging-sigs mailing list