[Emerging-Sigs] [Snort-sigs] detect SSTP tunnel
rmkml at yahoo.fr
Wed Oct 5 15:18:13 EDT 2011
script (python) on reference links use ssl over 443, I have created this specific rule.
VRT has worked on SSTP protocol please?
On Wed, 5 Oct 2011, Joel Esler wrote:
> Do you have a pcap for this? Or just the reference?
> On Tue, Oct 4, 2011 at 9:55 AM, rmkml <rmkml at yahoo.fr> wrote:
> First, thx to HSC for published/shared news,
> ok second, if sstp it's over ssl: crypted (look MiTM).
> but if internal browser use proxy web, look this rule for detect new http method used by SSTP:
> alert tcp any any -> any $PROXY_PORTS (msg:"WEB-MISC detect SSTP tunnel"; flow:to_server,established; content:"SSTP_DUPLEX_POST"; nocase; depth:16; offset:0; fast_pattern;
> reference:url,http://www.hsc.fr/ressources/breves/sstp.html.fr; classtype:web-application-activity; sid:x; rev:1;)
> Check/adapt snort variables of course.
More information about the Emerging-sigs