[Snort-openappid] Gmail detection

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Aug 11 10:45:05 EDT 2014


Payman,

Thank you for bringing it to our attention.

The correct configuration files for gmail are with the use of the the SSL Host patterns.
If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have the following patterns now.


 { 0, 655, '*.mail.google.com' },

 { 0, 655, 'imap.gmail.com' },


We will put the fix for this in our next release to allow the proper SSL patterns from gmail.com and mail.google.com.

Thanks
Costas

From: Peyman Gohari <peyman.gohari.pub at ...8...<mailto:peyman.gohari.pub at ...39...8...>>
Date: Monday, August 11, 2014 at 10:04 AM
To: "snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Subject: [Snort-openappid] Gmail detection

Hi

  I have been trying OpenAppId using snort-2.9.7.0_beta.
  I am quite happy with the result when it comes to detecting non HTTPS sites (ex:cnn.com<http://cnn.com> as per the tutorial).
  However, for an obscure reason, it does not recognise Gmail. It seems that the code used for detecting Gmail sits in openappid/odp/lua/payload_gmail_userid.lua, with the core function being:

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
        gDetector:CHPCreateApp(655, 1, 0);
        gDetector:CHPAddAction(655, 1, 1, "mail.google.com<http://mail.google.com>", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
    end
    return gDetector
end

  I am curious to understand how the recognition of sites like Gmail works. I am looking for documentation on the function CHPCreateApp or any explanation on how the function DetectorInit works. If someone can help me, that would be great.

Thanks for your help
PG


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140811/b5419fd3/attachment.html>


More information about the Snort-openappid mailing list