Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-disclosure] blocking Google Desktop
From: sekure (sekuregmail.com)
Date: Tue Feb 14 2006 - 12:23:38 CST
I believe it is per TCP session, but don't quote me on that. Actually
now that i think about it, if it indeed is per TCP session then the
second rule will not trigger, since the SSL connection will be a part
of a different session.
I am not 100% sure though. Try it out and let us know. You might want
to post to snort-sigs or snort-users and see if they are more helpful.
On 2/14/06, Michael Holstein <michael.holsteincsuohio.edu> wrote:
> > The first rule would get flowbits:noalert; flowbits:set,google.user.agent;
> > And the second rule would get flowbits:isset,google.user.agent;
> Is that global (if #1, then always #2), or is it "per-IP" ?
> I verified I can block the SSL session setup using the snort sig I
> posted the other day .. but it kills any Google SSL (gmail, groups,
> etc.) .. which is fine, provided I can only block google SSL to users
> that are running the desktop.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/