[Oisf-users] Problems with rule to detect proxy usage

Duarte Silva duarte.silva at serializing.me
Thu Feb 7 19:15:23 UTC 2013


Hi,

I think what is triggering the rule is NSPlayer streaming content from "
wm-ondemand.abacast.com/100hitz/medium/chr4285_32.wma".

I will recheck it tomorow to see if I can replicate.

Regards,
Duarte Silva


On Thu, Feb 7, 2013 at 6:05 PM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> On Thu, Feb 7, 2013 at 11:23 PM, Duarte Silva
> <duarte.silva at serializing.me> wrote:
> > Hello all,
> >
> > first of all, follows a disclainer: I'm a newbie at writing
> Suricata/Snort
> > rules, so don't expect a smart question :P Next, the problem: I have the
> > need to detect if someone is using a rogue proxy in my network. I
> decided to
> > create an alert for any HTTP request that has a "Via" header different
> from
> > the expected one (Via: 1.1 PRX1 or 1.1 PRX2). Follows the rule I have
> > written:
> >
> > alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MYRZ POLICY Rogue
> proxy
> > detected";flow:established,to_server; content:"Via|3A|"; http_header;
> > nocase;  pcre:!"/^Via\x3a 1\.1
> > PRX[1-2]\r$/Hmi";classtype:policy-violation;sid:2090001;rev:1;)
> >
> > This isn't full proof, but it does work. The problem is that Suricata is
> > also marking request like the following with this rule.
> >
> > upprofile
> > Pragma: playlist-seek-id=762678
> > Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-5EB360F56D0B}
> > Pragma: stream-switch-count=1
> > Pragma: stream-switch-entry=ffff:1:0
> > Accept-Language: en-ie, *;q=0.1
> > Connection: Keep-Alive
> >
> > Any ideas??
> >
>
> If the header is what you posted, we shouldn't alert.  Can you supply
> a pcap against this?  You can share it privately if you want to.
>
> --
> Anoop Saldanha
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130207/3c13d59a/attachment-0002.html>


More information about the Oisf-users mailing list