Battle.net Snort Signatures

iago · July 17, 2005, 12:45:35 PM

Last night, I wrote a set of Snort rules to detect problems with my Battle.net connection. The rules can be found here:
http://www.javaop.com/~iago/battle.net.rules

Here is a screenshot of them working, with Base:
http://www.javaop.com/~iago/snort-battle.net.png

It should be included in the Bleeding Snort ruleset, under the Policy rules.

rabbit · July 17, 2005, 12:59:27 PM

You lost me at "I wrote a set of Snort rules"

Newby · July 17, 2005, 01:01:35 PM

Then don't post? :p

Seems cool, I suppose.

01Linux · July 17, 2005, 01:15:56 PM

Reminds me of QwertyMonster from vL forums

Newby · July 17, 2005, 01:16:32 PM

Nope, it would have been "Lol haha :P" instead.

Man, I'm clever.

iago · July 17, 2005, 01:20:58 PM

Snort is a program that detects network attacks based on signatures. I posted the link to Snort's site so people could figure that out themselves instead of looking stupid :P

I wrote some signatures for it that, instead of detecting attacks, detects Battle.net problems. If you look at the screenshot, you'll see that it sees failed logins and stuff.

And incidentally, Bleeding-Snort might be adding another rule set, specifically for games. If they do, Battle.net stuff will go in there.. We'll see!

rabbit · July 17, 2005, 04:03:57 PM

See, I didn't see a short, simple description like that on the Snort page. That's why I asked. The FAQ went right from pronouncing names into IDS messages or something.

RoMi · July 17, 2005, 04:28:52 PM

Quote from: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.htmlRon has sent us a nice collection of game server sigs for battlenet
servers. Yup, people still play starcraft (myself included) :)

To accomodate these we've started a games ruleset. There are enough of
these sigs, and the possibility of others that it's worth it.

So if you're interested in running these sigs be sure to add the
following to snort.conf:

Go iago~!

iago · July 17, 2005, 09:19:29 PM

Quote from: RoMi on July 17, 2005, 04:28:52 PM
Quote from: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.htmlRon has sent us a nice collection of game server sigs for battlenet
servers. Yup, people still play starcraft (myself included) :)

To accomodate these we've started a games ruleset. There are enough of
these sigs, and the possibility of others that it's worth it.

So if you're interested in running these sigs be sure to add the
following to snort.conf:
Go iago~!

Just to make it stand out more: http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-July/000675.html

I've been talking to the admin all day, actually. He's a great guy.

Krazed · July 18, 2005, 10:11:05 PM

Congradulations, quite an accomplishment.

Clan x86

News:

Battle.net Snort Signatures

iago

rabbit

Newby

01Linux

Newby

iago

rabbit

RoMi

iago

Krazed