[Emerging-Sigs] chrome rdp

Rich Rumble richrumble at gmail.com
Fri Oct 14 16:40:36 EDT 2011


Sorry for all the (self)chatter UDP probably doesn't like flowto...established?
This one works for Incoming detection:
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming
Chromoting Detected"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|";
distance:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:40;
reference:url,xinn.org/Chromoting.html; sid:999999922;)

This for outgoing:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
OutGoing Chromoting Detected"; flow:to_server,established;
content:"|58 2d 53 65 73 73 69 6f 6e 2d 54 79 70 65 3a 20 67 6f 6f 67
6c 65 3a 72 65 6d 6f 74 69 6e 67|";
reference:url,xinn.org/Chromoting.html; sid:999999911;)

If others can test, that'd be great.
-rich


More information about the Emerging-sigs mailing list