7032.txt

This is the snapshot of Snot Latest Rules

Rule: 

--
Sid: 
7032

-- 
Summary: 
This event is generated when GoToMyPC service is started on a local machine which then attempts to query the central GoToMyPC broker servers.  The GoToMyPC service provides access to a local machine from remote locations which may violate a corporate security policy.

-- 
Impact: 
This may be a violation of corporate policy since some applications can be used to bypass security measures designed to restrict the flow of corporate information to destinations external to the corporation. In some instances this event may indicate behavior contrary to best security practices.

--
Detailed Information:
When the GoToMyPC service is started on a (local) machine, it communicates it's availability to the central GoToMyPC broker servers at port 8200.  This rule looks for one of the steps in this communication setup, in particular, the request for the PingServlet (which acts as the heartbeat/polling application). 

GoToMyPC is a product of Citrix.

--
Affected Systems:
All systems

--
Attack Scenarios: 
Violation of corporate security policy can manifest serious risk to company assets.

-- 
Ease of Attack: 
Simple.

-- 
False Positives:
None known.

--
False Negatives:
None known.

-- 
Corrective Action: 
Ensure adherence to best security practices and strict adherence to corporate policy

--
Contributors:
Scott Austin <scott.austin@sourcefire.com>

-- 
Additional References:

GoToMyPC
http://www.gotomypc.com/howItWorks.tmpl

--