[unisog] Google Desktop (v3) [was (v4)
michael.holstein at csuohio.edu
Wed Feb 15 14:22:23 GMT 2006
> I have been getting thousands of hits on this rule and it certainly find
> all the machines running GD, i.e. as it stands it only is useful if you
> have banned GD altogether. It would be great if we could refine the
> rule so it only triggers on file upload attempts -- any ideas on ways to
> do this?
Well, after looking at all the ways to chain rules in Snort (flows or
dynamic) neither will do what I want.
I need to first detect the GD user-agent string, and then (dynamically)
look for TLS traffic to google.com. I won't be able to tell if the
subsequent TLS traffic is a gmail login or GD uploadings -- but the
timing would indicate that.
My current thinking is using the alert-unixsock action and using perl to
run a listener on the target socket -- to dynamically generate a list of
internal IPs running GD. A second instance of snort (which will HUP upon
a new add to the list) will do nothing except watch tcp/443 traffic with
one rule (the TLS session setup to google) and block those attempts.
I'll keep everyone posted.
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog