[Snort-openappid] Gmail detection

Sabu Thaliyath sabu.thaliyath at ...8...
Tue Nov 4 00:11:05 EST 2014


I am attaching here the traffic when using Firefox27 and IE10. Let me know
if you need any more info.

Regards,
Sabu

On Mon, Nov 3, 2014 at 7:10 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...>
wrote:

>  Can you record some traffic and send it to us by email
> outside this list when you are using Firefox and Internet
> Explorer for us to investigate this issue?
>
> Thanks,
> Costas
>
> On Nov 3, 2014, at 8:12 AM, Sabu Thaliyath <sabu.thaliyath at ...8...>
> wrote:
>
>   Hi Costas,
>
> I tried "-k none" and "-P 9000" options also but no luck again.
>
> However, I have a new observation this time. I see gmail getting
> blocked when I used Chrome38 browser but not while using IE10 or Firefox27.
> I tried with old as well as new detector and found that gmail is blocked on
> both when I use Chrome.
>
> Here are my rules (drop rule) :-
>
> drop tcp [any] any <> any any (msg : "bing:drop"; appid: bing; sid:100000;
> rev:4; )
> drop udp [any] any <> any any (msg : "bing:drop"; appid: bing; sid:100004;
> rev:4; )
> drop tcp [any] any <> any any (msg : "gmail:drop"; appid: gmail;
> sid:100010; rev:4; )
> drop udp [any] any <> any any (msg : "gmail:drop"; appid: gmail;
> sid:100014; rev:4; )
> drop tcp [any] any <> any any (msg : "google_accounts:drop"; appid:
> google_accounts; sid:100017; rev:4; )
> drop udp [any] any <> any any (msg : "google_accounts:drop"; appid:
> google_accounts; sid:100018; rev:4; )
> drop tcp [any] any <> any any (msg : "google_drive:drop"; appid:
> google_drive; sid:100019; rev:4; )
> drop udp [any] any <> any any (msg : "google_drive:drop"; appid:
> google_drive; sid:100020; rev:4; )
>  I am attaching here in this email
>
> 1) Alert and Drop output of gmail   (both from IE and Chrome)
> 2) Alert and drop Pcap files (both from IE and Chrome)
>
> Regards,
> Sabu
>
> On Sun, Nov 2, 2014 at 5:54 AM, Costas Kleopa (ckleopa) <ckleopa at ...5...
> > wrote:
>
>>  Have you tried using in your snort command line argumes the "-k none”
>> for
>> not ignoring bad checksums, and “-P 9000” to allow packets with large PDU
>>  traffic in it?
>>
>>  If that did not work please send us the snort rules you are using with
>> AppID,
>> some traffic with the alert output of the gmail rules and we will
>> investigate it into detail.
>>
>> Thanks,
>> Costas
>>
>> On Nov 1, 2014, at 8:18 AM, Sabu Thaliyath <sabu.thaliyath at ...8...>
>> wrote:
>>
>>    Hi Costas,
>>
>> Thanks..I downloaded the new version but still no luck ..It detects http
>> sites perfectly but not https.
>>
>>  I tried http://mail.google.com and it blocked however it is unable to
>> block https://mail.google.com .
>>
>>  *Here is how my environment is setup*.  (Just in case if env is the
>> issue)
>>
>>  Windows 7, IE 10 & FF 27 browsers as my client system
>>  Linux Fedora 13 system as my default gateway with snort-openappid
>> installed.
>>
>> [root at ...50... openappid]# cat odp/version.conf
>> VERSION=223
>> [root at ...50... openappid]#
>>
>> Version 2.9.7.0 GRE (Build 149)
>> Using libpcap version 1.0.0
>> Using PCRE version: 7.8 2008-09-05
>> Using ZLIB version: 1.2.3
>> Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
>>
>>
>>  Here is the log of *http* website
>>
>> Nov  1 17:38:26 Fedora13 snort[2819]: [1:100010:4] appid_gmail:block
>> {TCP} 74.125.236.118:80 -> 192.168.121.99:64718
>>
>>  Just to be sure, I am going to try it on latest Ubuntu.
>>
>>  If OS is not an issue here, then please let me know if there is any
>> troubleshooting steps or logs I can get to help resolve this issue.
>>
>>  Regards,
>> Sabu
>>
>> On Fri, Oct 31, 2014 at 10:16 PM, Costas Kleopa (ckleopa) <
>> ckleopa at ...5...> wrote:
>>
>>>  Sabu,
>>>
>>>  We have actually released a new version of our detector package today
>>> at https://www.snort.org/downloads, in which we have also included the
>>> fix for this issue.
>>>
>>>  Feel free to download that one and make sure that your version of the
>>> odp package would be the following:
>>>
>>>  odp/version.conf
>>>
>>> VERSION=223
>>>
>>>  Let us know if you are still seeing more issues after you test it with
>>> this one.
>>>
>>>  Thanks
>>> Costas
>>>
>>>
>>>   From: Sabu Thaliyath <sabu.thaliyath at ...8...>
>>> Date: Friday, October 31, 2014 at 12:35 PM
>>> To: "Snort-openappid at lists.sourceforge.net" <
>>> Snort-openappid at lists.sourceforge.net>
>>> Subject: Re: [Snort-openappid] Gmail detection
>>>
>>>   Hi Costas,
>>>
>>>  I am facing the same issue as Payman. Tried tweaking
>>> ' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked.
>>> But no luck. I see none of the https websites or applications getting
>>> blocked.
>>>
>>>  Is there any documentation on how lua/ssl_host_group_belvedere.lua
>>> works ? I read Opensource Detectors developer guide but still couldn't
>>> figure out much.
>>>
>>>  Any plans to fix this issue ?
>>>
>>>  Regards,
>>> Sabu
>>>
>>>
>>>     *Re: [Snort-openappid] Gmail detection
>>> <http://sourceforge.net/p/snort/mailman/message/32704933/>*
>>> From: Costas Kleopa (ckleopa) <ckleopa at ...49...> - 2014-08-11 14:45:14
>>>
>>>
>>>  Payman,
>>>
>>> Thank you for bringing it to our attention.
>>>
>>> The correct configuration files for gmail are with the use of the the SSL Host patterns.
>>> If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have the following patterns now.
>>>
>>>
>>>  { 0, 655, '*.mail.google.com' },
>>>
>>>  { 0, 655, 'imap.gmail.com' },
>>>
>>>
>>> We will put the fix for this in our next release to allow the proper SSL patterns from gmail.com and mail.google.com.
>>>
>>> Thanks
>>> Costas
>>>
>>> From: Peyman Gohari <peyman.gohari.pub at ...39...<mailto:peyman.gohari.pub at ...39...>>
>>> Date: Monday, August 11, 2014 at 10:04 AM
>>> To: "snort-openappid at ...39...<mailto:snort-openappid at ...39...>" <snort-openappid at ...39...<mailto:snort-openappid at ...39...>>
>>> Subject: [Snort-openappid] Gmail detection
>>>
>>> Hi
>>>
>>>   I have been trying OpenAppId using snort-2.9.7.0_beta.
>>>   I am quite happy with the result when it comes to detecting non HTTPS sites (ex:cnn.com<http://cnn.com>; as per the tutorial).
>>>   However, for an obscure reason, it does not recognise Gmail. It seems that the code used for detecting Gmail sits in openappid/odp/lua/payload_gmail_userid.lua, with the core function being:
>>>
>>> function DetectorInit(detectorInstance)
>>>     gDetector = detectorInstance
>>>     if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
>>>         gDetector:CHPCreateApp(655, 1, 0);
>>>         gDetector:CHPAddAction(655, 1, 1, "mail.google.com<http://mail.google.com>";, 0, "");
>>>         gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
>>>         gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
>>>     end
>>>     return gDetector
>>> end
>>>
>>>   I am curious to understand how the recognition of sites like Gmail works. I am looking for documentation on the function CHPCreateApp or any explanation on how the function DetectorInit works. If someone can help me, that would be great.
>>>
>>> Thanks for your help
>>> PG
>>>
>>>
>>
>   <openappid-logs.txt>
>
>  <Gateway_with_Alert_Chrome.pcap>
>
>  <Gateway_with_Alert_IE.pcap>
>
>  <Gateway_with_Drop_Chrome.pcap>
>
>  <Gateway_with_Drop_IE.pcap>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141104/05c624d7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Gmail_NotBlocked_Firefox27.pcap
Type: application/octet-stream
Size: 91563 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141104/05c624d7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Gmail_NotBlocked_IE10.pcap
Type: application/octet-stream
Size: 80779 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141104/05c624d7/attachment-0001.obj>


More information about the Snort-openappid mailing list