Is there a signature to detect mypc applications in the network stream?

p.mckay · ‎04-13-2007

Recently located a users laptop with my pc running on it so I have been looking to see if there is a signature that detects this type of traffic and other traffic related to these types of applications. I have looked at the following that 5188 HTTP Tunneling which are enabled. This does not seem to be a signature that will detect this traffic but I am not sure

Do you need to create a custom signature?

If so does anyone have an example as to what is common to mypc traffic or other remote access applications like this?

jlimbo · ‎04-13-2007

We will look into this and get back to you.

Thanks,

Jonathan

mhellman · ‎04-16-2007

Most of them are (or can be) configured to work over an encrypted HTTP tunnel, so detecting/blocking them with a IPS signature can be difficult. The best you can often do is detect/block based on destination IP address. If you have one, the http proxy is usually the best place to block access.

nicksmi · ‎05-10-2007

A custom signature may work best here.

String TCP, from service, port 8200

\x00\x00\x00\x0a\x01\xff\x50\x53\x10\x8a

That is the data of the packet I observed the client send to the poll server (66.151.158.177 = [ poll.gotomypc.com ]) on port 8200. The client lets the poll server know it is alive so that remote machines can connect to it. As most usage activity is encrypted, this is probably the best way to detect active gotomypc hosts on your network.