Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is there a signature to detect mypc applications in the network stream?

Recently located a users laptop with my pc running on it so I have been looking to see if there is a signature that detects this type of traffic and other traffic related to these types of applications. I have looked at the following that 5188 HTTP Tunneling which are enabled. This does not seem to be a signature that will detect this traffic but I am not sure

Do you need to create a custom signature?

If so does anyone have an example as to what is common to mypc traffic or other remote access applications like this?

3 REPLIES
New Member

Re: Is there a signature to detect mypc applications in the netw

We will look into this and get back to you.

Thanks,

Jonathan

Gold

Re: Is there a signature to detect mypc applications in the netw

Most of them are (or can be) configured to work over an encrypted HTTP tunnel, so detecting/blocking them with a IPS signature can be difficult. The best you can often do is detect/block based on destination IP address. If you have one, the http proxy is usually the best place to block access.

Cisco Employee

Re: Is there a signature to detect mypc applications in the netw

A custom signature may work best here.

String TCP, from service, port 8200

\x00\x00\x00\x0a\x01\xff\x50\x53\x10\x8a

That is the data of the packet I observed the client send to the poll server (66.151.158.177 = [ poll.gotomypc.com ]) on port 8200. The client lets the poll server know it is alive so that remote machines can connect to it. As most usage activity is encrypted, this is probably the best way to detect active gotomypc hosts on your network.

135
Views
4
Helpful
3
Replies
CreatePlease to create content