Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Stephane Chazelas
committed
Aug 24, 2012
1 parent
9bfd046
commit 26450b6
Showing
4 changed files
with
28 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -1,4 +1,14 @@ | |||
bro-skype-fake-https-detect | bro-skype-fake-https-detect | ||
=========================== | =========================== | ||
|
|
||
Bro IDS extension to detect Skype's fake HTTPS traffic and mark it as such in conn.log | Bro IDS extension to detect Skype's fake HTTPS traffic and mark it as such in conn.log | ||
|
|||
Installation | |||
------------ | |||
|
|||
:: | |||
|
|||
cd <prefix>/share/bro/site/ | |||
git clone git://github.com/stephane-chazelas/bro-skype-fake-https-detect.git | |||
echo "@load bro-skype-fake-https-detect" >> local.bro | |||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,2 @@ | |||
@load ./main | |||
@load-sigs ./skype-fake-https-detect.sig |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,7 @@ | |||
module SkypeFakeHTTPSDetect; | |||
|
|||
function mark_conn_as_skype(state: signature_state, data: string): bool | |||
{ | |||
add state$conn$service["skype"]; | |||
return F; | |||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,8 @@ | |||
signature skype_fake_https { | |||
ip-proto == tcp | |||
tcp-state established,responder | |||
event "Skype fake HTTPS connection" | |||
src-port == 443 | |||
payload /^\x16\x03\x01\x00\x4a\x02\x00\x00\x46\x03\x01\x40\x1b\xe4\x86\x02\xad\xe0\x29\xe1\x77\x74\xe5\x44\xb9\xc9\x9c\xb4\x31\x31\x5e\x02\xdd\x77\x9d\x15\x4a\x96\x09\xba\x5d\xa8\x70/ | |||
eval SkypeFakeHTTPSDetect::mark_conn_as_skype | |||
} |