[Emerging-Sigs] chrome rdp

Rich Rumble richrumble at gmail.com
Fri Oct 14 01:21:52 EDT 2011


This should probably catch "Chromoting" to/from Google NetBooks also
(see: http://www.wired.com/wiredenterprise/2011/10/google-chromoting-chrome/)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Chromoting Detected"; flow:to_server,established; content:"|58 2d 53
65 73 73 69 6f 6e 2d 54 79 70 65 3a 20 67 6f 6f 67 6c 65 3a 72 65 6d
6f 74 69 6e 67|"; reference:url,xinn.org/Chromoting.html;)

Basically it should trigger on: "X-Session-Type: google:remoting",
there is also a user
agent "User-Agent: transp2" that might be useful, not sure. I'm
attaching a pcap of a
short Chromting session.

I'll have the reference page in the sig up after sleep. Rule works on
Suri just fine, didn't fire on snort...
-rich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Chromoting-session-01.pcap
Type: application/octet-stream
Size: 38622 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111014/f1cd0257/Chromoting-session-01-0001.obj


More information about the Emerging-sigs mailing list