Snort mailing list archives
Re: Create rules for Google Hangouts
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 12 Feb 2015 12:07:08 +0000
You wont be able to match the text in the encrypted payload with a rule. If you could that would defeat the whole purpose of encryption right? ☺ I think you should take a look at the manual and the basics of rule writing. This will give you a starting point for understanding what you can and cannot do with them. http://manual.snort.org/node27.html Hope this helps! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: liao zhuodi [mailto:liao_zd () foxmail com] Sent: Wednesday, February 11, 2015 10:11 PM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Create rules for Google Hangouts Thanks Lewis, the grep appMapping.data does helps. I am trying to create some complete rules, i find some of the rules/openaapID use http pattern to detect user access, but like google hangouts: http://www.google.com/hangouts/, but when user use Google Hangouts, they usually use it inside the gmail web page, or some client ends. But the message text or hangouts call are encrypted by SSL, https, how can i catch the traffic from hangouts? Liao On 11 Feb 2015, at 20:02, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: To get a feel for what you can do with rules a good place to start would be here: http://manual.snort.org/node27.html There are a bunch of app detectors in the openappID tool for google (Hangouts is one of them) : I have listed them below. You can check out/download openapp here: https://www.snort.org/downloads alewis@debian-7:~/Downloads/odp$ cat appMapping.data | cut -f2 | grep -i google Google APIs Google App Engine Google Drive Google Talk Gadget Google Google Translate Google Analytics Google Calendar Google News Google Product Search Google Safebrowsing Google Earth Googlebot Google Toolbar Google Finance Google Play Books Google Play Music Google Reader Google Adsense Google Remote Desktop Google Fiber Google Code project hosting Google Update Googlebot Image Search Google PageSpeed Google URL Shortener Google Groups Google+ Photos Google+ Videos Google Accounts Authentication Google Hangouts Google Helpouts Hope this helps! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> -----Original Message----- From: liao zhuodi [mailto:liao_zd () foxmail com] Sent: Wednesday, February 11, 2015 2:58 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] Create rules for Google Hangouts I am trying to create rules about Google Hangouts app, it is a web app in the gmail page, it usees Quick UDP protocol, however I can not find the signature for it. Doesn’t anyone has any suggestion, thanks. Liao ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Create rules for Google Hangouts liao zhuodi (Feb 11)
- Re: Create rules for Google Hangouts Al Lewis (allewi) (Feb 11)
- Re: Create rules for Google Hangouts liao zhuodi (Feb 11)
- Re: Create rules for Google Hangouts Al Lewis (allewi) (Feb 12)
- Re: Create rules for Google Hangouts liao zhuodi (Feb 11)
- Re: Create rules for Google Hangouts Al Lewis (allewi) (Feb 11)