BetOnline.ag Online Internet Poker PCAP Traffic Sample Analysis Snort Rule

How to tell if your employees are spending time at work playing one of the most popular online poker sites for US citizens? Simple:

alert tcp $HOME_NET any -> [161.22.49.0/24] any (msg:”BetOnline Poker Detected”; content:”poker.betonline.ag”; tag: session, 60, seconds; sid:20161019; rev:1;)

2016-10-19 17:59:40.731904 IP 192.168.1.102.61567 > 161.22.49.233.443: Flags [R.], seq 1, ack 1, win 0, length 0
E..(4.@…1….f..1………..I.P…<………
2016-10-19 17:59:40.732414 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [S], seq 1713469354, win 65535, options [mss 1460,nop,wscale 3,nop,nop,sackO
K], length 0
E..44.@…1….f..1…..f!w………
……………
2016-10-19 17:59:40.824057 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 1826761741, win 32768, length 0
E..(4.@…1….f..1…..f!w.l.,.P…1………
2016-10-19 17:59:40.824462 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 0:387, ack 1, win 32768, length 387
E…4.@…/….f..1…..f!w.l.,.P….3……~…z..X……f…9.U..z”.No.h…9…?…8.,.+.0./…..$.#.(.’.
.       …..9.3…..=.<.5./.
.j.@.8.2……………poker.betonline.ag……….
…………………………………#…8….z.%u.+S..{      ..nZ………..?.C.E.{3..[…6…M..j.$.J.&.=..C…..A.i….i……gWH…}…r.]W…..c…\<EG.c.\2″.L…….~..@…?…(..BYV.=…..   z…..j…4.%…..B…z..`.N….=..X..}………..
2016-10-19 17:59:40.904881 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 110, win 32754, length 0
E..(4.@…1….f..1…..f!y.l.,zP…/………
2016-10-19 17:59:40.905663 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 387:438, ack 110, win 32754, length 51
E..[4.@…0….f..1…..f!y.l.,zP….i…………(………/……..Z.!.ZiS..A.<…v..c.=.
2016-10-19 17:59:40.906039 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 438:1225, ack 110, win 32754, length 787
E..;4.@……..f..1…..f!yal.,zP…t………………..c..&…..O…….1{…_ .h^t.Z.4o.V……….&~.$J…~.JK\.).Y.3bf..35O9y.$…….. ….D>a>y.^;5.Q……|……L….Q#..!.E..5Mx.q{RH….V..m..=;.U..~….Nm……|5#t.kt……&G
33@E.m…`….W`….nY.D….s..R.t…:|.7.f…W62…(…………..z
{……yM.N..@x.)A.T..B..$e………Y. ….i.G..K}v…o……oS…..j……..A…..koF”,…3..s.Z….4X.m2…1…..nD…ry|L.b…………….K…QX.w…V.
.DV/#^.^..8.\..Q.Q.,..Ded..!……….x..k….l…n..d………..M..}….q.c.]]…~+6..i..@./V;…@.{…3Z .4n…..|..l…^/.WbdFTY……iP”r……….J.K.C..a..0.7……..H?……g…e….6..R@……`….&-.$.9.-B?..f?….@….R,….#…. …;.b.c..Y. ..w…..).|…iM/..I.MpA.=S`.vE\…..8P’T.Y……….L.97′.MV=.~..q…}……..Q.;@2..1.MLm.x.%.P…..q…..A.o..
2016-10-19 17:59:40.983329 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 501, win 32705, length 0
E..(4.@…1….f..1…..f!|tl…P…+P……..
2016-10-19 17:59:41.829436 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [P.], seq 273:311, ack 13185, win 257, length 38
E..N..@…e….f..1….I……..P………..!7_…KxR..]P…….1.a)… ….a.
2016-10-19 17:59:41.877901 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13343, win 256, length 0
E..(..@…e….f..1….I……..P………….
2016-10-19 17:59:41.994327 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13385, win 256, length 0
E..(..@…e….f..1….I……..P………….
2016-10-19 17:59:42.875535 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13575, win 255, length 0
E..(..@…e….f..1….I…….uP………….
2016-10-19 17:59:44.136712 IP 192.168.1.102.61379 > 161.22.49.234.3401: Flags [.], ack 3116, win 252, length 0
: