BetOnline.ag Online Internet Poker PCAP Traffic Sample Analysis Snort Rule

Posted on - by admin

How to tell if your employees are spending time at work playing one of the most popular online poker sites for US citizens? Simple:

 

alert tcp $HOME_NET any -> [161.22.49.0/24] any (msg:”BetOnline Poker Detected”; content:”poker.betonline.ag”; tag: session, 60, seconds; sid:20161019; rev:1;)

 

2016-10-19 17:59:40.731904 IP 192.168.1.102.61567 > 161.22.49.233.443: Flags [R.], seq 1, ack 1, win 0, length 0
E..(4.@…1….f..1………..I.P…<………
2016-10-19 17:59:40.732414 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [S], seq 1713469354, win 65535, options [mss 1460,nop,wscale 3,nop,nop,sackO
K], length 0
E..44.@…1….f..1…..f!w………
……………
2016-10-19 17:59:40.824057 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 1826761741, win 32768, length 0
E..(4.@…1….f..1…..f!w.l.,.P…1………
2016-10-19 17:59:40.824462 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 0:387, ack 1, win 32768, length 387
E…4.@…/….f..1…..f!w.l.,.P….3……~…z..X……f…9.U..z”.No.h…9…?…8.,.+.0./…..$.#.(.’.
.       …..9.3…..=.<.5./.
.j.@.8.2……………poker.betonline.ag……….
…………………………………#…8….z.%u.+S..{      ..nZ………..?.C.E.{3..[…6…M..j.$.J.&.=..C…..A.i….i……gWH…}…r.]W…..c…\<EG.c.\2″.L…….~..@…?…(..BYV.=…..   z…..j…4.%…..B…z..`.N….=..X..}………..
2016-10-19 17:59:40.904881 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 110, win 32754, length 0
E..(4.@…1….f..1…..f!y.l.,zP…/………
2016-10-19 17:59:40.905663 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 387:438, ack 110, win 32754, length 51
E..[4.@…0….f..1…..f!y.l.,zP….i…………(………/……..Z.!.ZiS..A.<…v..c.=.
2016-10-19 17:59:40.906039 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 438:1225, ack 110, win 32754, length 787
E..;4.@……..f..1…..f!yal.,zP…t………………..c..&…..O…….1{…_ .h^t.Z.4o.V……….&~.$J…~.JK\.).Y.3bf..35O9y.$…….. ….D>a>y.^;5.Q……|……L….Q#..!.E..5Mx.q{RH….V..m..=;.U..~….Nm……|5#t.kt……&G
33@E.m…`….W`….nY.D….s..R.t…:|.7.f…W62…(…………..z
{……yM.N..@x.)A.T..B..$e………Y. ….i.G..K}v…o……oS…..j……..A…..koF”,…3..s.Z….4X.m2…1…..nD…ry|L.b…………….K…QX.w…V.
.DV/#^.^..8.\..Q.Q.,..Ded..!……….x..k….l…n..d………..M..}….q.c.]]…~+6..i..@./V;…@.{…3Z .4n…..|..l…^/.WbdFTY……iP”r……….J.K.C..a..0.7……..H?……g…e….6..R@……`….&-.$.9.-B?..f?….@….R,….#…. …;.b.c..Y. ..w…..).|…iM/..I.MpA.=S`.vE\…..8P’T.Y……….L.97′.MV=.~..q…}……..Q.;@2..1.MLm.x.%.P…..q…..A.o..
2016-10-19 17:59:40.983329 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 501, win 32705, length 0
E..(4.@…1….f..1…..f!|tl…P…+P……..
2016-10-19 17:59:41.829436 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [P.], seq 273:311, ack 13185, win 257, length 38
E..N..@…e….f..1….I……..P………..!7_…KxR..]P…….1.a)… ….a.
2016-10-19 17:59:41.877901 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13343, win 256, length 0
E..(..@…e….f..1….I……..P………….
2016-10-19 17:59:41.994327 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13385, win 256, length 0
E..(..@…e….f..1….I……..P………….
2016-10-19 17:59:42.875535 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13575, win 255, length 0
E..(..@…e….f..1….I…….uP………….
2016-10-19 17:59:44.136712 IP 192.168.1.102.61379 > 161.22.49.234.3401: Flags [.], ack 3116, win 252, length 0
:

Leave a Reply