[Emerging-Sigs] chrome rdp

Rich Rumble richrumble at gmail.com
Fri Oct 14 12:48:15 EDT 2011


Don't use this yet, I'm attempting to make incoming and outgoing sig's
should be soon.

On Fri, Oct 14, 2011 at 1:21 AM, Rich Rumble <richrumble at gmail.com> wrote:
> This should probably catch "Chromoting" to/from Google NetBooks also
> (see: http://www.wired.com/wiredenterprise/2011/10/google-chromoting-chrome/)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Chromoting Detected"; flow:to_server,established; content:"|58 2d 53
> 65 73 73 69 6f 6e 2d 54 79 70 65 3a 20 67 6f 6f 67 6c 65 3a 72 65 6d
> 6f 74 69 6e 67|"; reference:url,xinn.org/Chromoting.html;)
>
> Basically it should trigger on: "X-Session-Type: google:remoting",
> there is also a user
> agent "User-Agent: transp2" that might be useful, not sure. I'm
> attaching a pcap of a
> short Chromting session.
>
> I'll have the reference page in the sig up after sleep. Rule works on
> Suri just fine, didn't fire on snort...
> -rich
>


More information about the Emerging-sigs mailing list