[unisog] Google Desktop (v3) [was (v4)

Russell Fulton r.fulton at auckland.ac.nz
Tue Feb 14 23:04:14 GMT 2006



Michael Holstein wrote:
> First, I made a mistake in the version number. The current/new one is 
> version 3 (the one that uploads your data to Google)
> 
> I've been experimenting with Snort sigs to detect this.
> 
> Google Desktop uses a unique user-agent (I got a tip about this from 
> another user at full-disclosure) :
> 
> User-Agent: Mozilla/4.0 (compatible; Google Desktop)
> 
> So here is a snort sig for that ...
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "BLEEDING-EDGE Google 
> Desktop User-Agent Detected"; flow: to_server,established; 
> content:"User-Agent\: Mozilla/4.0 (compatible\; Google Desktop)"; 
> nocase; classtype: policy-violation; sid: 3000001; rev:1; )
> 
I have been getting thousands of hits on this rule and it certainly find
all the machines running GD, i.e. as it stands it only is useful if you
have banned GD altogether.  It would be great if we could refine the
rule so it only triggers on file upload attempts -- any ideas on ways to
do this?

I have noticed that some of the packet captures have "User-Agent:
Mozilla/4.0 (compatible; Google Desktop)..Host: desktop.google.com"
with the traffic going to www.google.com.

I'll keep looking to see if this works.

Russell

Russell



More information about the unisog mailing list