Look for NetMeeting audit events in an up coming XPU... --Michael Lynn
-----Original Message----- From: Sergey V Soldatov [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 10:45 AM To: Lynn, Michael (ISS Atlanta) Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ISSForum] Detecting NetMeeting traffic by RS NS7.0 Because NetMeeting is the unsafe applicatin allowing P2P between users in the LAN, NetMeeting usage in a network of our company is forbidden. So I faced with problem of detection of NetMeeting traffic. I find that NetMeeting use set of protocols, such as H.323, T.120, LDAP... and write folloeing TRONS rules for NS: ##alert tcp any any -> any 389 (flags: S; msg: "NetMeeting ILS connection attempt";) ##alert tcp any any -> any 522 (flags: S; msg: "NetMeeting ULS connection attempt";) alert tcp any any -> any 1503 (flags: S; msg: "NetMeeting T.120 connection attempt";) #T.120 data conferencing (listening when NetMeeting's running) alert tcp any any -> any 1720 (flags: S; msg: "NetMeeting H.323 call setup attempt";) #H.323 call setup (listening when NetMeeting's running) alert tcp any any -> any 1731 (flags: S; msg: "NetMeeting Audio call setup attempt";) First two I'd commented out, because of great number of false positives. Information could be found in Microsofts How-To: Q158623 - How to Establish NetMeeting Connections Through a Firewall. Also, I discovered that if NetMeeting client is up, ports 1503(T.120) and 1720 (H.323) are listening. It is simple detecting by nmap, but for IS I'd also wrote flexCheck in Perl (see attached netMeetingClientRunnung.zip) to detect NetMeeting client running on scanned host. (See attached file: netMeetingClientRunnung.zip) Whishes: 1. It is desirable for ISS to develop informational signature for detecting NetMeeting traffic more carefuly (with packet content analysis). Thanks a lot for reply! --- Best regards, Sergey V. Soldatov. tel/fax +7 095 745 89 50 (2663) "Lynn, Michael (ISS Atlanta)" <[EMAIL PROTECTED]> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Sent by: cc: [EMAIL PROTECTED] Subject: [ISSForum] Detecting NetMeeting traffic by RS NS7.0 17.03.2004 00:12 At this time we do detect and decode netmeeting traffic looking for attacks but we don't display any audit events to the user. Give me a description of what you would like to see and I'll see if I cant get it out in an update in the near future. --Mike Lynn -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Sergey V Soldatov Sent: Tuesday, March 16, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Detecting NetMeeting traffic by RS NS7.0 Good day. It is very impotent for me to detect NetMeeting traffic in my LAN. How can I do this by RealSecure Network Sensor? I haven't found any NS's standard signatures and on Snort.org (to create TRONS-signature) also nothing interesting. Thanks a lot. --- Best regards, Sergey V. Soldatov. tel/fax +7 095 745 89 50 (2663) _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
