Detection Ultrasurf's traffic
-
As you know, Ultrasurf is the most famous tool for bypassing content filter systems.
Here is the snort rule for detecting Ultrasurf's traffic. this rule detects Ultrasurf's self-signed SSL certificate and can never be false-positive.
#Ozan UCAR @2013
#SSL Client Hello Hex Value 16 03 00 00 61 01 00 00 5d 03
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "Ultrasurf"; flow:to_server,established; content:"|16030000610100005d03|"; classtype:policy-violation; sid:1000099;)Also, you can block their traffic with snort. Just replace 'alert' to 'drop' or use Snort's 'react' module.
Example log output;
01/06/14-23:01:41.885614 ,1,1000099,0,"Ultrasurf",TCP,x.x.x.241,26434,65.49.14.82,443,17301,Potential Corporate Privacy Violation,1,
I attached screenshots to this post.
-
Thank you for sharing
-
dont work!
I think I have the wrong or your system dosent work
I've addes my screenshoots.