Browse files

Initial Import

  • Loading branch information...
1 parent 9bfd046 commit 26450b6893f7ea18ba2f37ec0c7f058cf7dfde07 @stephane-chazelas committed Aug 24, 2012
Showing with 28 additions and 1 deletion.
  1. +11 −1 README.md
  2. +2 −0 __load__.bro
  3. +7 −0 main.bro
  4. +8 −0 skype-fake-https-detect.sig
View
12 README.md
@@ -1,4 +1,14 @@
bro-skype-fake-https-detect
===========================
-Bro IDS extension to detect Skype's fake HTTPS traffic and mark it as such in conn.log
+Bro IDS extension to detect Skype's fake HTTPS traffic and mark it as such in conn.log
+
+Installation
+------------
+
+::
+
+ cd <prefix>/share/bro/site/
+ git clone git://github.com/stephane-chazelas/bro-skype-fake-https-detect.git
+ echo "@load bro-skype-fake-https-detect" >> local.bro
+
View
2 __load__.bro
@@ -0,0 +1,2 @@
+@load ./main
+@load-sigs ./skype-fake-https-detect.sig
View
7 main.bro
@@ -0,0 +1,7 @@
+module SkypeFakeHTTPSDetect;
+
+function mark_conn_as_skype(state: signature_state, data: string): bool
+ {
+ add state$conn$service["skype"];
+ return F;
+ }
View
8 skype-fake-https-detect.sig
@@ -0,0 +1,8 @@
+signature skype_fake_https {
+ ip-proto == tcp
+ tcp-state established,responder
+ event "Skype fake HTTPS connection"
+ src-port == 443
+ payload /^\x16\x03\x01\x00\x4a\x02\x00\x00\x46\x03\x01\x40\x1b\xe4\x86\x02\xad\xe0\x29\xe1\x77\x74\xe5\x44\xb9\xc9\x9c\xb4\x31\x31\x5e\x02\xdd\x77\x9d\x15\x4a\x96\x09\xba\x5d\xa8\x70/
+ eval SkypeFakeHTTPSDetect::mark_conn_as_skype
+}

0 comments on commit 26450b6

Please sign in to comment.