[Snort-openappid] Gmail detection

Peyman Gohari peyman.gohari.pub at ...8...
Mon Aug 11 10:04:51 EDT 2014


Hi

  I have been trying OpenAppId using snort-2.9.7.0_beta.
  I am quite happy with the result when it comes to detecting non HTTPS
sites (ex:cnn.com as per the tutorial).
  However, for an obscure reason, it does not recognise Gmail. It seems
that the code used for detecting Gmail sits
in openappid/odp/lua/payload_gmail_userid.lua, with the core function
being:

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
        gDetector:CHPCreateApp(655, 1, 0);
        gDetector:CHPAddAction(655, 1, 1, "mail.google.com", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
    end
    return gDetector
end

  I am curious to understand how the recognition of sites like Gmail works.
I am looking for documentation on the function CHPCreateApp or any
explanation on how the function DetectorInit works. If someone can help me,
that would be great.

Thanks for your help
PG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140812/58a71a8a/attachment.html>


More information about the Snort-openappid mailing list