Detection Ultrasurf's traffic



  • As you know, Ultrasurf is the most famous tool for bypassing content filter systems.

    Here is the snort rule for detecting Ultrasurf's traffic. this rule detects Ultrasurf's self-signed SSL certificate and can never be false-positive.

    #Ozan UCAR @2013
    #SSL Client Hello Hex Value 16 03 00 00 61 01 00 00 5d 03
    alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "Ultrasurf"; flow:to_server,established; content:"|16030000610100005d03|"; classtype:policy-violation; sid:1000099;)

    Also, you can block their traffic with snort. Just replace 'alert' to 'drop' or use Snort's 'react' module.

    Example log output;

    01/06/14-23:01:41.885614 ,1,1000099,0,"Ultrasurf",TCP,x.x.x.241,26434,65.49.14.82,443,17301,Potential Corporate Privacy Violation,1,

    I attached screenshots to this post.









  • Thank you for sharing



  • dont work!

    I think I have the wrong or your system dosent work

    I've addes my screenshoots.