[Oisf-users] How to build a alert rule for GoogleDrive App?

Cooper F. Nelson cnelson at ucsd.edu
Tue Jan 27 17:48:02 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Google uses a wildcard cert you aren't going to be able write a
signature for that.

If you are concerned about stuff like this you should be using a web
proxy to access the internet.  The clients browser will pass the domain
name unencrypted to the proxy server in order to establish a session.

You can then write a signature to monitor inbound connections to the
proxy from clients and look for the drive.google.com string, or just
check the logs.  The incoming packets look like this:

> T 192.168.0.2:51456 -> 172.16.180.157:3128 [AP]
> CONNECT drive.google.com:443 HTTP/1.1.
> Host: drive.google.com.
> Proxy-Connection: keep-alive.
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36.

You can also just check the proxy logs:

> 1422379784.478  16141 192.168.0.2 TCP_MISS/200 4298 CONNECT drive.google.com:443 - DIRECT/74.125.224.101 -

- -Coop

On 1/26/2015 10:10 PM, Liao Zhuodi wrote:
> The google drive app(mac/pc) use TCP/TLSv1.2 to communicate, I try to
> find the signature, but failed. IP address is dynamic, I should not use
> that.
> Try to find some clue, please help if anyone have some suggestions, thanks.
> 
> Liao
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUx89SAAoJEKIFRYQsa8FWjMMH/3sz102rJ+ZbaUMXGyc55PjZ
VJLmA2vA3pLsT7nK9zd9vPm/Tk8TNQ03Kj9KGrTu80ShwzQEP48SU1ApFbu5CT8u
Q32P/l55sQeSIrYm0Msnzp3iBHuHBL0qxxNX3knRy1v1pOA/FkEssd3zdNOvqJnz
63FaOgA8KuMSZPETuwOlkFJ0kZE4UCNIoR9DpdNlTIYRscJaRm4DBlySpVGNx/Yk
LcVTOA2IPmFpKqOv9PrpE802v0grRDSvnK0PU3T6SkC3pjmpO5u0iG6njPJAS7kg
3zxZSStcVoHTFsHYoDyHrNCJ+YUuKGyNryyURKAqJfm4jPKizxsVmhx5b3VHUvo=
=TvxO
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list