saya dah update analysis ultrasurf dan https://vtunnel

16 views
Skip to first unread message

packetf...@gmail.com

unread,
Jul 14, 2010, 11:37:20 PM7/14/10
to KK LUG
http://protocolunique.com/artikel8.html
disini saya dah update log analysis apks dan pattern of this
ultrasurf & vtunnel..hanya fikirkan rule yg suite to detect this
using advanced portknock apks.artikel ini dibuat utk mencari
alternatif lain selain terpaksa guna produk berasaskan embeded/
firewall yg mahal serta mengunakan teknik anomaly dan payload
filtering yg kompleks .

abglang

unread,
Feb 1, 2012, 11:06:53 PM2/1/12
to kk-...@googlegroups.com
Salam..
uiks.. sudah delete kah ni artikel.. alalaa



--
Anda menerima mesej ini kerana anda melanggan kumpulan "KK LUG" Google Kumpulan.
Untuk mengirim kepada kumpulan ini, hantarkan e-mel kepada kk-...@googlegroups.com.
Untuk menghentikan langganan kumpulan ini, hantarkan e-mel kepada kk-lug+un...@googlegroups.com.
Untuk mendapatkan lebih banyak pilihan, lawati kumpulan ini di http://groups.google.com/group/kk-lug?hl=ms.


arora anne

unread,
Feb 4, 2012, 5:22:11 AM2/4/12
to kk-...@googlegroups.com
Hosting housekeeping
Boleh guna hlbr http://hlbr.sourceforge.net/
-more easy transparent ringan
ni cth rule
<rule>
ip dst(www)
tcp dst(80)
tcp content(vtunnel)
message= block vtunnel 1
action=action1
</rule>

###block website
<rule>
ip dst(www)
tcp dst(80)
http regex(vtunnel)
message= block vtunnel tcp 2
action=action1
</rule>

###block website
<rule>
ip dst(www)
tcp dst(80)
http nocase(vtunnel)
message= block vtunnel
action=action1
</rule>

<rule>
ip dst(dns)
udp dst(53)
udp regex(vtunnel.com)
message=block http/s vtunnel.com
action=action1
</rule>

<rule>
ip dst(dns)
udp dst(53)
udp regex(ultrasurf)
message=block ultrasurf
action=action1
</rule>

Semoga berjaya




2012/2/2 abglang <abg...@gmail.com>

abglang

unread,
Feb 4, 2012, 5:37:59 AM2/4/12
to kk-...@googlegroups.com

Thanks.

abglang

unread,
Feb 6, 2012, 3:01:27 AM2/6/12
to kk-...@googlegroups.com

Rule utk block streaming audio video cmana?

On 4 Feb 2012 18:22, "arora anne" <protoco...@gmail.com> wrote:

Edham Arief Dawillah

unread,
Feb 10, 2012, 12:55:17 PM2/10/12
to kk-...@googlegroups.com
Arora anne.

Possible kalau masukkan artikel ni ke dalam sabahopensource.org? Credits
to you


--
Edham Arief Dawillah
edt...@gmail.com

arora anne

unread,
Feb 10, 2012, 7:57:53 PM2/10/12
to kk-...@googlegroups.com
bole
saya masukan pd  18/02/2012 quite busy now tgh setup WAF server for customer

2012/2/11 Edham Arief Dawillah <edt...@gmail.com>


protocolunique

unread,
Feb 28, 2012, 11:33:08 AM2/28/12
to KK LUG
salam sory terlupa nak update..utk jawapan abglang
Signature utk mime-type content type
application/x-shockwave-flash
video/x-ms-asf
application/vnd.ms.wms-hdr.asfv1
application/x-mms-framed
audio/x-pn-realaudio

application/x-shockwave-flash
video/x-ms-asf
application/vnd.ms.wms-hdr.asfv1
application/x-mms-framed
audio/x-pn-realaudio

############################keseluruhan hlbr config################
<rule>
ip src(lan)
udp dst(1-52, 54-66, 69-65535)
message=drop range of udp dst port 1-52,54-66,69-65535
action=action1
</rule>

<rule>
ip src(lan)
tcp dst(1-79, 81-442, 444-65535)
message=drop range of tcp dst port 1-79,81-442,444-65535
action=action1
</rule>

###########################################################################################################################################
#cat porn rule
<rule>
ip dst(www)
tcp dst(80)
http regex(adultsight|adultsite|adultsonly|adultweb|blowjob|bondage|
centerfold|cumshot|cyberlust|cybercore|hardcore|masturbat|obscene|
pedophil|pedofil|playmate|pornstar|sexdream|showgirl|softcore|
striptease)
message=block porn rule1 website-http
action=action1
</rule>


<rule>
ip dst(www)
udp dst(53)
udp regex(adultsight|adultsite|adultsonly|adultweb|blowjob|bondage|
centerfold|cumshot|cyberlust|cybercore|hardcore|masturbat|obscene|
pedophil|pedofil|playmate|pornstar|sexdream|showgirl|softcore|
striptease)
message=block porn rule 2 website-dns
action=action1
</rule>

</rule>
ip dst(www)
tcp dst(80)
http regex(big|cyber|hard|huge|mega|small|soft|super|tiny|adult|babe|
boob|breast|busen|busty|clit|cum|fetish|hooter|lez|lust|naked|nude|
porn|porno|pupper|pussy|sex|smutpump|teen|tit|topp?les|xxx)
message=block porn rule 3 website-http
action=action1
</rule>

<rule>
ip dst(www)
udp dst(53)
udp regex(big|cyber|hard|huge|mega|small|soft|super|tiny|adult|babe|
boob|breast|busen|busty|clit|cum|fetish|hooter|lez|lust|naked|nude|
porn|porno|pupper|pussy|sex|smutpump|teen|tit|topp?les|xxx)
message=block porn rule 4 website-dns
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http regex(/xxx)
message=block porn rule 5 website-http
action=action1
</rule>

###############################################################################################################
#cat http.rules

<rule>
ip dst(www)
tcp dst(80)
tcp content(vtunnel)
message= block vtunnel 1
action=action1
</rule>

###block website
<rule>
ip dst(www)
tcp dst(80)
http regex(vtunnel)
message= block vtunnel tcp 2
action=action1
</rule>

###block website-ni contoh
<rule>
ip dst(www)
tcp dst(80)
http nocase(vtunnel)
message= block vtunnel
action=action1
</rule>

###block website
<rule>
ip dst(www)
tcp dst(80)
http regex(facebook.com)
message= block facebook.com
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http regex(youtube|yahoo.com)
message= block youtube & yahoo.com
action=action1
</rule>

#################################################################################################################################
#cat download.rule
###block website with filedownload with extension
<rule>
ip dst(www)
tcp dst(80)
http nocase(.exe)
message= block .exe
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.gz)
message= block .gz
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.exe)
message= block .exe
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.zip)
message= block .zip
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.bin)
message= block .bin
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.gz)
message= block .gz
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.bz2)
message= block .bz2
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.iso)
message= block .iso
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.mp3)
message= block .mp3
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.mpeg)
message= block .mpeg
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.mpg)
message= block .mpg
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.ogg)
message= block .ogg
action=action1
</rule>

###stream video /audio
<rule>
ip src(www)
tcp src(80)
tcp nocase(application/x-)
message= drop streaming video
action=action1
</rule>

<rule>
ip src(www)
tcp src(80)
tcp nocase(video/)
message= drop streaming video
action=action1
</rule>

<rule>
ip src(www)
tcp src(80)
tcp nocase(datarate)
message= drop streaming video payload datarate
action=action1
</rule>

<rule>
ip src(www)
tcp src(80)
tcp nocase(sourcedata)
message= drop streaming video payload sourcedata
action=action1
</rule>

<rule>
ip src(www)
tcp src(80)
tcp nocase(videodatarate)
message= drop streaming video payload videodatarate
action=action1
</rule>

<rule>
ip src(www)
tcp src(80)
tcp nocase(videodata)
message= drop streaming video payload videodata
action=action1
</rule>

<rule>
ip src(www)
tcp src(80)
tcp nocase(datasize)
message= drop streaming video payload datasize
action=action1
</rule>

<rule>
ip src(www)
tcp src(80)
tcp nocase(metadatacreator)
message= drop streaming video payload metadatacreator
action=action1
</rule>


On Feb 2, 12:06 pm, abglang <abgl...@gmail.com> wrote:
> Salam..
> uiks.. sudah delete kah ni artikel.. alalaa
>
> 2010/7/15 packetfence...@gmail.com <packetfence...@gmail.com>

protocolunique

unread,
Feb 28, 2012, 11:18:00 AM2/28/12
to KK LUG
Assalamualaikum
sory lupa lak nak update ..utk soalan abglang.
utk streaming video/audio jika gn hlbr http://hlbr.sourceforge.net/
utk mime content-type response signature ialah

application/x-shockwave-flash
video/x-ms-asf
application/vnd.ms.wms-hdr.asfv
application/x-mms-framed
audio/x-pn-realaudio
application/x-shockwave-flash
video/x-ms-asf
application/vnd.ms.wms-hdr.asfv1
application/x-mms-framed
audio/x-pn-realaudio

(rule bole blok flash tetapi akan menyebabkan false positive bg web
site mkn tak perlu)
<rule>
ip src(www)
tcp src(80)
tcp nocase(-flash)
message= drop streaming video flash
action=action1
</rule>

<rule>
ip src(www)
tcp src(80)
tcp nocase(application/vnd)
message= drop streaming video 1
action=action1
</rule>

OR

<rule>
ip src(www)
tcp src(80)
tcp nocase(application/x-)
message= drop streaming video 2
<rule>
ip src(lan)
udp dst(1-52, 54-66, 69-65535)
message=drop range of udp dst port 1-52,54-66,69-65535
action=action1
</rule>

<rule>
ip src(lan)
tcp dst(1-79, 81-442, 444-65535)
message=drop range of tcp dst port 1-79,81-442,444-65535
action=action1
</rule>

###########################################################################################################################################
#cat porn rule
<rule>
ip dst(www)
tcp dst(80)
http regex(adultsight|adultsite|adultsonly|adultweb|blowjob|bondage|
centerfold|cumshot|cyberlust|cybercore|hardcore|masturbat|obscene|
pedophil|pedofil|playmate|pornstar|sexdream|showgirl|softcore|
striptease)
message=block porn rule1 website-http
action=action1
</rule>


<rule>
ip dst(www)
udp dst(53)
udp regex(adultsight|adultsite|adultsonly|adultweb|blowjob|bondage|
centerfold|cumshot|cyberlust|cybercore|hardcore|masturbat|obscene|
pedophil|pedofil|playmate|pornstar|sexdream|showgirl|softcore|
striptease)
message=block porn rule 2 website-dns
action=action1
</rule>

</rule>
ip dst(www)
tcp dst(80)
http regex(big|cyber|hard|huge|mega|small|soft|super|tiny|adult|babe|
boob|breast|busen|busty|clit|cum|fetish|hooter|lez|lust|naked|nude|
porn|porno|pupper|pussy|sex|smutpump|teen|tit|topp?les|xxx)
message=block porn rule 3 website-http
action=action1
</rule>

<rule>
ip dst(www)
udp dst(53)
udp regex(big|cyber|hard|huge|mega|small|soft|super|tiny|adult|babe|
boob|breast|busen|busty|clit|cum|fetish|hooter|lez|lust|naked|nude|
porn|porno|pupper|pussy|sex|smutpump|teen|tit|topp?les|xxx)
message=block porn rule 4 website-dns
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http regex(/xxx)
message=block porn rule 5 website-http
action=action1
</rule>

###############################################################################################################
#cat http.rules

<rule>
ip dst(www)
tcp dst(80)
tcp content(vtunnel)
message= block vtunnel 1
action=action1
</rule>

###block website
<rule>
ip dst(www)
tcp dst(80)
http regex(vtunnel)
message= block vtunnel tcp 2
action=action1
</rule>

###block website-ni contoh
<rule>
ip dst(www)
tcp dst(80)
http nocase(vtunnel)
message= block vtunnel
action=action1
</rule>

###block website
<rule>
ip dst(www)
tcp dst(80)
http regex(facebook.com)
message= block facebook.com
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http regex(youtube|yahoo.com)
message= block youtube & yahoo.com
action=action1
</rule>

#################################################################################################################################
#cat download.rule
###block website with filedownload with extension
<rule>
ip dst(www)
tcp dst(80)
http nocase(.exe)
message= block .exe
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.gz)
message= block .gz
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.exe)
message= block .exe
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.zip)
message= block .zip
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.bin)
message= block .bin
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.gz)
message= block .gz
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.bz2)
message= block .bz2
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.iso)
message= block .iso
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.mp3)
message= block .mp3
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.mpeg)
message= block .mpeg
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.mpg)
message= block .mpg
action=action1
</rule>

<rule>
ip dst(www)
tcp dst(80)
http nocase(.ogg)
message= block .ogg
action=action1
</rule>
###################keseluruhan hlbr.config
############################################################
# AlertHeader
#
# Sets the format used in the log file. Possible values are:
# %sip (source ip), %dip (ip destination), %sp (source port),
# %dp (destination port), %d (day), %m (month), %y (year), %h
(hour),
# %min (minute), %s (seconds), %usec (microseconds), %pn
(sequential
# packet number), %ac (alert number - starts with 1 every time
suricata is
# restarted).


<system>
Name=HLBR_1
ID=1
Threads=1
AlertHeader=%ac %m/%d/%y %h:%min:%s %sip:%sp->%dip:%dp
PidFile=/var/run/hlbr.pid
</system>

#############################################################################
#############################################################################

<interface eth2>
Type=linux_raw
Proto=Ethernet
</interface>

<interface eth3>
Type=linux_raw
Proto=Ethernet
</interface>


#############################################################################
# IP Lists Section define first--very important
#############################################################################

<IPList www>
0.0.0.0/0
</list>

<IPList dnsblacklist>
0.0.0.0/0
</list>

<IPList dns>
202.188.0.133
202.188.1.5
</list>


<IPList ultrasurf>
65.49.14.0/24
</list>

<IPList lan>
192.168.1.0/24
</list>

<IPList servers>
www
dns
dnsblacklist
ultrasurf
lan
</list>


############################################################################
# Actions
#############################################################################

<action action1>
response=alert file(/var/log/hlbr/hlbr.log)
response=dump packet(/var/log/hlbr/hlbr.dump)
response=drop
</action>


<action action2>
response=alert file(/var/log/hlbr/hlbr2.log)
response=dump packet(/var/log/hlbr/hlbr2.dump)
</action>


############################################################################
# Routing Section
############################################################################
<routing>
SBridge(eth2, eth3)
</routing>

<decoder http>
OPTIONS,GET,HEAD,POST,CONNECT,PUT,DELETE,SEARCH,DELETE,TRACE,COPY,MOVE,PROPFIND,PROPPATCH,UNLOCK,LOCK,MKCOL,NOTIFY,POLL

</decoder>
####################################################################################>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On Feb 11, 1:55 am, "Edham Arief Dawillah" <edt...@gmail.com> wrote:
> Arora anne.
>
> Possible kalau masukkan artikel ni ke dalam sabahopensource.org? Credits
> to you
>
>
>
>
>
>
>
>
>
> On Mon, 06 Feb 2012 16:01:27 +0800, abglang <abgl...@gmail.com> wrote:
> > Rule utk block streaming audio video cmana?
> > On 4 Feb 2012 18:22, "arora anne" <protocoluni...@gmail.com> wrote:
>
> >> Hosting housekeeping
> >> Boleh guna hlbrhttp://hlbr.sourceforge.net/
> >> 2012/2/2 abglang <abgl...@gmail.com>
>
> >>> Salam..
> >>> uiks.. sudah delete kah ni artikel.. alalaa
>
> >>> 2010/7/15 packetfence...@gmail.com <packetfence...@gmail.com>
Reply all
Reply to author
Forward
0 new messages