[Snort-openappid] Gmail detection

Sabu Thaliyath sabu.thaliyath at ...8...
Sat Nov 1 08:18:16 EDT 2014


Hi Costas,

Thanks..I downloaded the new version but still no luck ..It detects http
sites perfectly but not https.

I tried http://mail.google.com and it blocked however it is unable to block
https://mail.google.com .

*Here is how my environment is setup*.  (Just in case if env is the issue)

Windows 7, IE 10 & FF 27 browsers as my client system
Linux Fedora 13 system as my default gateway with snort-openappid installed.

[root at ...50... openappid]# cat odp/version.conf
VERSION=223
[root at ...50... openappid]#

Version 2.9.7.0 GRE (Build 149)
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>


Here is the log of *http* website

Nov  1 17:38:26 Fedora13 snort[2819]: [1:100010:4] appid_gmail:block {TCP}
74.125.236.118:80 -> 192.168.121.99:64718

Just to be sure, I am going to try it on latest Ubuntu.

If OS is not an issue here, then please let me know if there is any
troubleshooting steps or logs I can get to help resolve this issue.

Regards,
Sabu

On Fri, Oct 31, 2014 at 10:16 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...
> wrote:

>  Sabu,
>
>  We have actually released a new version of our detector package today at
> https://www.snort.org/downloads, in which we have also included the fix
> for this issue.
>
>  Feel free to download that one and make sure that your version of the
> odp package would be the following:
>
>  odp/version.conf
>
> VERSION=223
>
>  Let us know if you are still seeing more issues after you test it with
> this one.
>
>  Thanks
> Costas
>
>
>   From: Sabu Thaliyath <sabu.thaliyath at ...8...>
> Date: Friday, October 31, 2014 at 12:35 PM
> To: "Snort-openappid at lists.sourceforge.net" <
> Snort-openappid at lists.sourceforge.net>
> Subject: Re: [Snort-openappid] Gmail detection
>
>   Hi Costas,
>
>  I am facing the same issue as Payman. Tried tweaking
> ' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked.
> But no luck. I see none of the https websites or applications getting
> blocked.
>
>  Is there any documentation on how lua/ssl_host_group_belvedere.lua works
> ? I read Opensource Detectors developer guide but still couldn't figure out
> much.
>
>  Any plans to fix this issue ?
>
>  Regards,
> Sabu
>
>
>     *Re: [Snort-openappid] Gmail detection
> <http://sourceforge.net/p/snort/mailman/message/32704933/>*
> From: Costas Kleopa (ckleopa) <ckleopa at ...49...> - 2014-08-11 14:45:14
>
>
>  Payman,
>
> Thank you for bringing it to our attention.
>
> The correct configuration files for gmail are with the use of the the SSL Host patterns.
> If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have the following patterns now.
>
>
>  { 0, 655, '*.mail.google.com' },
>
>  { 0, 655, 'imap.gmail.com' },
>
>
> We will put the fix for this in our next release to allow the proper SSL patterns from gmail.com and mail.google.com.
>
> Thanks
> Costas
>
> From: Peyman Gohari <peyman.gohari.pub at ...39...<mailto:peyman.gohari.pub at ...39...>>
> Date: Monday, August 11, 2014 at 10:04 AM
> To: "snort-openappid at ...39...<mailto:snort-openappid at ...39...>" <snort-openappid at ...39...<mailto:snort-openappid at ...39...>>
> Subject: [Snort-openappid] Gmail detection
>
> Hi
>
>   I have been trying OpenAppId using snort-2.9.7.0_beta.
>   I am quite happy with the result when it comes to detecting non HTTPS sites (ex:cnn.com<http://cnn.com>; as per the tutorial).
>   However, for an obscure reason, it does not recognise Gmail. It seems that the code used for detecting Gmail sits in openappid/odp/lua/payload_gmail_userid.lua, with the core function being:
>
> function DetectorInit(detectorInstance)
>     gDetector = detectorInstance
>     if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
>         gDetector:CHPCreateApp(655, 1, 0);
>         gDetector:CHPAddAction(655, 1, 1, "mail.google.com<http://mail.google.com>";, 0, "");
>         gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
>         gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
>     end
>     return gDetector
> end
>
>   I am curious to understand how the recognition of sites like Gmail works. I am looking for documentation on the function CHPCreateApp or any explanation on how the function DetectorInit works. If someone can help me, that would be great.
>
> Thanks for your help
> PG
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141101/346bec67/attachment.html>


More information about the Snort-openappid mailing list