Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (3) →
t1ck3ts
t1ck3ts
Offline

Blocking Teamviewer (reverse connect software)

Resolved
0 votes
Hey guys

Been trying to get this to work, with no luck. I want to block teamviewer and others like it from behind my network.
I've tried a squid acl, again, no luck.


acl teamviewer browser DynGate

acl teamviewer-b dstdomain .teamviewer.com

acl teamviewer-reg url_regex teamviewer.com

acl teamviewer-in  url_regex din\.aspx\?s=[0-9]+&id=[0-9]+&client=DynGate(&rnd=[0-9]+)?&p=[0-9]+

acl teamviewer-out url_regex dout\.aspx\?s=[0-9]+&p=[0-9]+&client=DynGate 



http_access deny teamviewer

http_access deny teamviewer-b

http_access deny teamviewer-reg

http_access deny teamviewer-in

http_access deny teamviewer-out


Also, i dont even know if this is used for the proxy of outgoing info for the clients behind the ClearOS, just been googling and stuff.

Is there another way? Snort? Iptables, etc?
In Intrusion Detection and Prevention
Sunday, August 25 2013, 11:00 PM
Subscribe via email
Share this post:
Responses (3)

  • Accepted Answer

    Thiago Rosa de Oliveira
    Thiago Rosa de Oliveira
    Offline
    Tuesday, August 27 2013, 12:38 PM - #Permalink
    Resolved
    0 votes
    Hello,

    You only want to block the application?

    Team Viewer web want to keep running normal?

    This is an excerpt from the log file viewer team:

    Start: 08/07/2013 16:37:31.648
    Version: 8.0.19617
    ID: 0
    Loglevel: Info (100)
    License: 0
    Server: master15.teamviewer.com
    IC: -1157366068

    master15.teamviewer.com this is the ip: 178.77.120.6

    If you block only this range: 178.77.120.0/24

    succeeded this

    Intrusion detection would be possible to block threats or invasions would not be ideal for what you want to believe

    Be sure to ask questions, and forgive my bad English
    The reply is currently minimized Show

  • Accepted Answer

    t1ck3ts
    t1ck3ts
    Offline
    Tuesday, August 27 2013, 09:02 AM - #Permalink
    Resolved
    0 votes
    Hey Thiago

    Thanks, those work :) so for now i will have to do it this way.
    I was looking for a deeper scan, still allowing normal http access and stuff, but not allowing the actual application to run.

    Emerging Threats POLICY rules pick up the application usage over the network, but i don't know how to take that rule and turn it into a block (Snort rules)

    Something like the BLOCK rules from Emerging Threats.
    The reply is currently minimized Show

  • Accepted Answer

    Thiago Rosa de Oliveira
    Thiago Rosa de Oliveira
    Offline
    Monday, August 26 2013, 05:11 PM - #Permalink
    Resolved
    0 votes
    Hello

    I do the following and it has worked:

    Block TCP port 5938

    Block these domains / ip addresses:

    teamviewer.com
    beta.teamviewer.com
    178.77.120.0/24

    This firewall in output

    Any questions I am available!
    The reply is currently minimized Show
Your Reply