04-13-2007 02:16 PM - edited 03-10-2019 03:34 AM
Recently located a users laptop with my pc running on it so I have been looking to see if there is a signature that detects this type of traffic and other traffic related to these types of applications. I have looked at the following that 5188 HTTP Tunneling which are enabled. This does not seem to be a signature that will detect this traffic but I am not sure
Do you need to create a custom signature?
If so does anyone have an example as to what is common to mypc traffic or other remote access applications like this?
04-13-2007 05:33 PM
We will look into this and get back to you.
Thanks,
Jonathan
04-16-2007 09:59 AM
Most of them are (or can be) configured to work over an encrypted HTTP tunnel, so detecting/blocking them with a IPS signature can be difficult. The best you can often do is detect/block based on destination IP address. If you have one, the http proxy is usually the best place to block access.
05-10-2007 08:38 AM
A custom signature may work best here.
String TCP, from service, port 8200
\x00\x00\x00\x0a\x01\xff\x50\x53\x10\x8a
That is the data of the packet I observed the client send to the poll server (66.151.158.177 = [ poll.gotomypc.com ]) on port 8200. The client lets the poll server know it is alive so that remote machines can connect to it. As most usage activity is encrypted, this is probably the best way to detect active gotomypc hosts on your network.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: