[Oisf-users] Problems with rule to detect proxy usage

Duarte Silva duarte.silva at serializing.me
Fri Feb 8 19:25:59 UTC 2013 

Hi Anoop,

is it possible that snorby doesn't show the complete payload when used with
suricata?

Best regards,
Duarte Silva
On 7 Feb 2013 19:15, "Duarte Silva" <duarte.silva at serializing.me> wrote:

> Hi,
>
> I think what is triggering the rule is NSPlayer streaming content from "
> wm-ondemand.abacast.com/100hitz/medium/chr4285_32.wma".
>
> I will recheck it tomorow to see if I can replicate.
>
> Regards,
> Duarte Silva
>
>
> On Thu, Feb 7, 2013 at 6:05 PM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
>
>> On Thu, Feb 7, 2013 at 11:23 PM, Duarte Silva
>> <duarte.silva at serializing.me> wrote:
>> > Hello all,
>> >
>> > first of all, follows a disclainer: I'm a newbie at writing
>> Suricata/Snort
>> > rules, so don't expect a smart question :P Next, the problem: I have the
>> > need to detect if someone is using a rogue proxy in my network. I
>> decided to
>> > create an alert for any HTTP request that has a "Via" header different
>> from
>> > the expected one (Via: 1.1 PRX1 or 1.1 PRX2). Follows the rule I have
>> > written:
>> >
>> > alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MYRZ POLICY Rogue
>> proxy
>> > detected";flow:established,to_server; content:"Via|3A|"; http_header;
>> > nocase;  pcre:!"/^Via\x3a 1\.1
>> > PRX[1-2]\r$/Hmi";classtype:policy-violation;sid:2090001;rev:1;)
>> >
>> > This isn't full proof, but it does work. The problem is that Suricata is
>> > also marking request like the following with this rule.
>> >
>> > upprofile
>> > Pragma: playlist-seek-id=762678
>> > Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-5EB360F56D0B}
>> > Pragma: stream-switch-count=1
>> > Pragma: stream-switch-entry=ffff:1:0
>> > Accept-Language: en-ie, *;q=0.1
>> > Connection: Keep-Alive
>> >
>> > Any ideas??
>> >
>>
>> If the header is what you posted, we shouldn't alert.  Can you supply
>> a pcap against this?  You can share it privately if you want to.
>>
>> --
>> Anoop Saldanha
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130208/32991fcd/attachment-0002.html>

More information about the Oisf-users mailing list