[unisog] Google Desktop (v3) [was (v4)

Michael Holstein michael.holstein at csuohio.edu
Wed Feb 15 14:22:23 GMT 2006

> I have been getting thousands of hits on this rule and it certainly find
> all the machines running GD, i.e. as it stands it only is useful if you
> have banned GD altogether.  It would be great if we could refine the
> rule so it only triggers on file upload attempts -- any ideas on ways to
> do this?

Well, after looking at all the ways to chain rules in Snort (flows or 
dynamic) neither will do what I want.

I need to first detect the GD user-agent string, and then (dynamically) 
look for TLS traffic to google.com. I won't be able to tell if the 
subsequent TLS traffic is a gmail login or GD uploadings -- but the 
timing would indicate that.

My current thinking is using the alert-unixsock action and using perl to 
run a listener on the target socket -- to dynamically generate a list of 
internal IPs running GD. A second instance of snort (which will HUP upon 
a new add to the list) will do nothing except watch tcp/443 traffic with 
one rule (the TLS session setup to google) and block those attempts.

I'll keep everyone posted.


Michael Holstein CISSP GCIA
Cleveland State University

More information about the unisog mailing list