Author Topic: Battle.net Snort Signatures  (Read 4080 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Battle.net Snort Signatures
« on: July 17, 2005, 12:45:35 pm »
Last night, I wrote a set of Snort rules to detect problems with my Battle.net connection.  The rules can be found here:
http://www.javaop.com/~iago/battle.net.rules

Here is a screenshot of them working, with Base:
http://www.javaop.com/~iago/snort-battle.net.png

It should be included in the Bleeding Snort ruleset, under the Policy rules. 

Offline rabbit

  • x86
  • Hero Member
  • *****
  • Posts: 8092
  • I speak for the entire clan (except Joe)
    • View Profile
Re: Battle.net Snort Signatures
« Reply #1 on: July 17, 2005, 12:59:27 pm »
You lost me at "I wrote a set of Snort rules"

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Battle.net Snort Signatures
« Reply #2 on: July 17, 2005, 01:01:35 pm »
Then don't post? :p

Seems cool, I suppose.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

01Linux

  • Guest
Re: Battle.net Snort Signatures
« Reply #3 on: July 17, 2005, 01:15:56 pm »
Reminds me of QwertyMonster from vL forums

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Battle.net Snort Signatures
« Reply #4 on: July 17, 2005, 01:16:32 pm »
Nope, it would have been "Lol haha :P" instead.

Man, I'm clever.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Battle.net Snort Signatures
« Reply #5 on: July 17, 2005, 01:20:58 pm »
Snort is a program that detects network attacks based on signatures.  I posted the link to Snort's site so people could figure that out themselves instead of looking stupid :P

I wrote some signatures for it that, instead of detecting attacks, detects Battle.net problems.  If you look at the screenshot, you'll see that it sees failed logins and stuff.

And incidentally, Bleeding-Snort might be adding another rule set, specifically for games.  If they do, Battle.net stuff will go in there..  We'll see!


Offline rabbit

  • x86
  • Hero Member
  • *****
  • Posts: 8092
  • I speak for the entire clan (except Joe)
    • View Profile
Re: Battle.net Snort Signatures
« Reply #6 on: July 17, 2005, 04:03:57 pm »
See, I didn't see a short, simple description like that on the Snort page.  That's why I asked.  The FAQ went right from pronouncing names into IDS messages or something.

Offline RoMi

  • x86
  • Hero Member
  • *****
  • Posts: 502
  • gg no re
    • View Profile
Re: Battle.net Snort Signatures
« Reply #7 on: July 17, 2005, 04:28:52 pm »
Quote from: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.html
Ron has sent us a nice collection of game server sigs for battlenet
servers. Yup, people still play starcraft (myself included) :)

To accomodate these we've started a games ruleset. There are enough of
these sigs, and the possibility of others that it's worth it.

So if you're interested in running these sigs be sure to add the
following to snort.conf:
Go iago~!
« Last Edit: July 17, 2005, 08:57:46 pm by RoMi »
-RoMi

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Battle.net Snort Signatures
« Reply #8 on: July 17, 2005, 09:19:29 pm »
Quote from: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.html
Ron has sent us a nice collection of game server sigs for battlenet
servers. Yup, people still play starcraft (myself included) :)

To accomodate these we've started a games ruleset. There are enough of
these sigs, and the possibility of others that it's worth it.

So if you're interested in running these sigs be sure to add the
following to snort.conf:
Go iago~!

Just to make it stand out more: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.html

I've been talking to the admin all day, actually.  He's a great guy.

Offline Krazed

  • x86
  • Hero Member
  • *****
  • Posts: 1822
    • View Profile
Re: Battle.net Snort Signatures
« Reply #9 on: July 18, 2005, 10:11:05 pm »
Congradulations, quite an accomplishment.
It is good to be good, but it is better to be lucky.