[unisog] Google Desktop (v3) [was (v4)

Chris Green cmgreen at uab.edu
Mon Feb 13 18:11:31 GMT 2006

On 2/13/06 11:28 AM, "Michael Holstein" <michael.holstein at csuohio.edu>
> Unfortunately, the dynamic/activate stuff in snort dosen't let you do an
> "alert" action after an activate -- because it's designed to just dump
> the next (n) packets. If there was a good way to chain the two rules
> together -- to say "after seeing 1, do REACT on #2" you could reliably
> kill any SSL/TLS sessions from somebody running Google Desktop, thus
> preventing the upload of anything.
> Thoughts?

I'd wouldn't try to snipe sessions with snort in this case.  It's just too
unreliable at stopping what you want.  You don't want a snipe rule to have
only a single time that it will shoot off for instance in case the host has
already moved on to a new set of sequence numbers.

Integrate the detection with disconnecting the user from their network port
and contacting the helpdesk to address the issue.
Chris Green
UAB Data Security, 5-0842

More information about the unisog mailing list