[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] ISC Twitter/Google Snort Signatures

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] ISC Twitter/Google Snort Signatures
From: John Jacobs <flamdugen@xxxxxxxxxxx>
Date: Fri, 15 May 2009 10:07:32 -0500

Hello FD, first and foremost thank you for the strong effort and excellent 
signatures.  As such, in an attempt to give back to a wonderful community, I 
humbly submitted the following Snort rules for inclusion into the ET 
signatures.  A brief explanation is provided below:

The first signature is designed to detect Google non-security related 
announcement articles on the ISC Diary; this seems to be a topic of extreme 
interest for some ISC Handlers despite having little to no security value.  I 
am unsure if this is a result of "Slow News Day" syndrome or another behavorial 
oddity which manifests at ISC.  This will detect on "Google is slow" style 
articles as well, however, I am sure this signature will require more tweaking 
as ISC encourages handing over more personal data to a 3rd party under the 
guise of functionality.

The second signature is designed to detect Joel peddling Twitter on the 
isc.sans.org Diary, as again, this isn't security related.  I suspect the 
Twitter signature may tend to fire more than the Google as Joel tends to get 
excited about "Tweeting" and "Twittering" and this spills over into the ISC 
Diary anytime he's the "Handler on Duty".

As always, please feel free to make changes to this signatures, especially 
regarding performance.  I've placed these into ET POLICY but they may be more 
applicable in another classes, perhaps a blocking class. I thank you in 
advance, feel free to modify for PCRE as well.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY 
isc.sans.org Access"; flowbits:set,isc_sans; flowbits:noalert; 
flow:established,to_server; content:"|0D 0A|Host|3A 20|isc|2E|sans|2E|org|0D 
0A|"; reference:url,isc.sans.org/; classtype:policy-violation; sid:2009xxxx; 
rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY 
isc.sans.org SANdlers say Google is slow"; flowbits:isset,isc_sans; 
flow:established,from_server; content:"google"; nocase; content:"slow"; nocase; 
reference:url,isc.sans.org/diary.html?storyid=6388; 
reference:url,isc.sans.org/diary.html?storyid=5443; classtype:policy-annoyance; 
sid:2009xxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY 
isc.sans.org Joel Esler Peddling Twitter"; flowbits:isset,isc_sans; 
flow:established,from_server; content:"Joel|20|Esler"; nocase; 
content:"Twitter"; nocase; reference:url,isc.sans.org/diary.html?storyid=6391; 
reference:url,isc.sans.org/diary.html?storyid=6388; classtype:policy-annoyance; 
sid:2009xxxx; rev:1;)

- John Jacobs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Snort Sigs for ISC Twitter/Google Diary Annoucements
Next by Date: Re: [Full-disclosure] Howto Simulate a BotNet ?
Previous by thread: [Full-disclosure] Snort Sigs for ISC Twitter/Google Diary Annoucements
Next by thread: [Full-disclosure] IIS6 + webdav and unicode rides again in 2009
Index(es):
- Date
- Thread