Detection Ultrasurf's traffic
As you know, Ultrasurf is the most famous tool for bypassing content filter systems.
Here is the snort rule for detecting Ultrasurf's traffic. this rule detects Ultrasurf's self-signed SSL certificate and can never be false-positive.
#Ozan UCAR @2013
#SSL Client Hello Hex Value 16 03 00 00 61 01 00 00 5d 03
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "Ultrasurf"; flow:to_server,established; content:"|16030000610100005d03|"; classtype:policy-violation; sid:1000099;)
Also, you can block their traffic with snort. Just replace 'alert' to 'drop' or use Snort's 'react' module.
Example log output;
01/06/14-23:01:41.885614 ,1,1000099,0,"Ultrasurf",TCP,x.x.x.241,26434,220.127.116.11,443,17301,Potential Corporate Privacy Violation,1,
I attached screenshots to this post.
Thank you for sharing
I think I have the wrong or your system dosent work
I've addes my screenshoots.