Text only | Text with Images

Clan x86

General Forums => General Discussion => Topic started by: iago on July 17, 2005, 12:45:35 PM

Title: Battle.net Snort Signatures
Post by: iago on July 17, 2005, 12:45:35 PM
Last night, I wrote a set of Snort (http://www.snort.org) rules to detect problems with my Battle.net connection.  The rules can be found here:
http://www.javaop.com/~iago/battle.net.rules

Here is a screenshot of them working, with Base:
http://www.javaop.com/~iago/snort-battle.net.png

It should be included in the Bleeding Snort (http://www.bleedingsnort.org) ruleset, under the Policy rules. 
Title: Re: Battle.net Snort Signatures
Post by: rabbit on July 17, 2005, 12:59:27 PM
You lost me at "I wrote a set of Snort rules"
Title: Re: Battle.net Snort Signatures
Post by: Newby on July 17, 2005, 01:01:35 PM
Then don't post? :p

Seems cool, I suppose.
Title: Re: Battle.net Snort Signatures
Post by: 01Linux on July 17, 2005, 01:15:56 PM
Reminds me of QwertyMonster from vL forums
Title: Re: Battle.net Snort Signatures
Post by: Newby on July 17, 2005, 01:16:32 PM
Nope, it would have been "Lol haha :P" instead.

Man, I'm clever.
Title: Re: Battle.net Snort Signatures
Post by: iago on July 17, 2005, 01:20:58 PM
Snort is a program that detects network attacks based on signatures.  I posted the link to Snort's site so people could figure that out themselves instead of looking stupid :P

I wrote some signatures for it that, instead of detecting attacks, detects Battle.net problems.  If you look at the screenshot, you'll see that it sees failed logins and stuff.

And incidentally, Bleeding-Snort might be adding another rule set, specifically for games.  If they do, Battle.net stuff will go in there..  We'll see!

Title: Re: Battle.net Snort Signatures
Post by: rabbit on July 17, 2005, 04:03:57 PM
See, I didn't see a short, simple description like that on the Snort page.  That's why I asked.  The FAQ went right from pronouncing names into IDS messages or something.
Title: Re: Battle.net Snort Signatures
Post by: RoMi on July 17, 2005, 04:28:52 PM
Quote from: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.htmlRon has sent us a nice collection of game server sigs for battlenet
servers. Yup, people still play starcraft (myself included) :)

To accomodate these we've started a games ruleset. There are enough of
these sigs, and the possibility of others that it's worth it.

So if you're interested in running these sigs be sure to add the
following to snort.conf:
Go iago~!
Title: Re: Battle.net Snort Signatures
Post by: iago on July 17, 2005, 09:19:29 PM
Quote from: RoMi on July 17, 2005, 04:28:52 PM
Quote from: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.htmlRon has sent us a nice collection of game server sigs for battlenet
servers. Yup, people still play starcraft (myself included) :)

To accomodate these we've started a games ruleset. There are enough of
these sigs, and the possibility of others that it's worth it.

So if you're interested in running these sigs be sure to add the
following to snort.conf:
Go iago~!

Just to make it stand out more: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.html

I've been talking to the admin all day, actually.  He's a great guy.
Title: Re: Battle.net Snort Signatures
Post by: Krazed on July 18, 2005, 10:11:05 PM
Congradulations, quite an accomplishment.
Text only | Text with Images