[Emerging-Sigs] chrome rdp

Martin Holste mcholste at gmail.com
Fri Oct 14 16:48:28 EDT 2011


If it's incoming, you probably need from_server.

On Fri, Oct 14, 2011 at 3:40 PM, Rich Rumble <richrumble at gmail.com> wrote:
> Sorry for all the (self)chatter UDP probably doesn't like flowto...established?
> This one works for Incoming detection:
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming
> Chromoting Detected"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|";
> distance:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:40;
> reference:url,xinn.org/Chromoting.html; sid:999999922;)
>
> This for outgoing:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> OutGoing Chromoting Detected"; flow:to_server,established;
> content:"|58 2d 53 65 73 73 69 6f 6e 2d 54 79 70 65 3a 20 67 6f 6f 67
> 6c 65 3a 72 65 6d 6f 74 69 6e 67|";
> reference:url,xinn.org/Chromoting.html; sid:999999911;)
>
> If others can test, that'd be great.
> -rich
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list