Detection Ultrasurf's traffic

ozanus

As you know, Ultrasurf is the most famous tool for bypassing content filter systems.

Here is the snort rule for detecting Ultrasurf's traffic. this rule detects Ultrasurf's self-signed SSL certificate and can never be false-positive.

#Ozan UCAR @2013
#SSL Client Hello Hex Value 16 03 00 00 61 01 00 00 5d 03
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "Ultrasurf"; flow:to_server,established; content:"|16030000610100005d03|"; classtype:policy-violation; sid:1000099;)

Also, you can block their traffic with snort. Just replace 'alert' to 'drop' or use Snort's 'react' module.

Example log output;

01/06/14-23:01:41.885614 ,1,1000099,0,"Ultrasurf",TCP,x.x.x.241,26434,65.49.14.82,443,17301,Potential Corporate Privacy Violation,1,

I attached screenshots to this post.

sort_rule_usurf.png_thumb

sort_alert_usurf.png_thumb

ultrasurf_blocked.png_thumb

ultrasurf_ssl-hex.png_thumb

mrbostn

Thank you for sharing

drmavi

dont work!

I think I have the wrong or your system dosent work

I've addes my screenshoots.

snort_log1.jpg_thumb

snort_log2.jpg_thumb