Video Screencast Help

how to capture HTTP POST and Get traffic on SCSP agents

Created: 27 Mar 2013 | 2 comments

Can anyone explicate about the rule/temple existing in SCSP to capture Network based indications for below traffic.

 

HTTP POST traffic containing:     

  • Name=GeorgeBush&userid<4 digit number>&other=

 

HTTP GET traffic to pages with paths:

 

  • Aspnet_client/report.asp
  • Resource/device_Tr.asp
  • Images/device_index.asp
  • News/media/info.html
  • Backsangho.jpg
  • addCats.asp
  • SmarNav.jpg
  • Nblogo2.jpg
Operating Systems:

Comments 2 CommentsJump to latest comment

mathell's picture

Don't know squat about SCSP, but according to Symantec those are all indicators associated with the "comment crew", a Chinese threat group (APT).

 

https://www-secure.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise

premkumarGM's picture

Thanks Mathell, i would like to add them in the rules at SCSP. can you pleaes assist me in what would be the filter and the path of the file need to be added.