[Snort-openappid] Gmail detection

Sabu Thaliyath sabu.thaliyath at ...8...
Tue Nov 4 12:53:26 EST 2014

Great..!! thanks Costas...

- Sabu

-----Original Message-----
From: "Costas Kleopa (ckleopa)" <ckleopa at ...5...>
Sent: ‎04-‎11-‎2014 22:40
To: "Sabu Thaliyath" <sabu.thaliyath at ...8...>
Cc: "Snort-openappid at lists.sourceforge.net" <Snort-openappid at ...12...rge.net>
Subject: Re: [Snort-openappid] Gmail detection


We verified your traffic and it seems that there is an issue with us processing that specific scenario of the SSL traffic. We will be bugging it and plan to provide a fix in a future release.


From: Sabu Thaliyath <sabu.thaliyath at ...8...>
Date: Tuesday, November 4, 2014 at 12:11 AM
To: ckleopa <ckleopa at ...5...>
Cc: "Snort-openappid at lists.sourceforge.net" <Snort-openappid at ...12...rge.net>
Subject: Re: [Snort-openappid] Gmail detection

I am attaching here the traffic when using Firefox27 and IE10. Let me know if you need any more info.

On Mon, Nov 3, 2014 at 7:10 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...> wrote:

Can you record some traffic and send it to us by email 
outside this list when you are using Firefox and Internet 
Explorer for us to investigate this issue?


On Nov 3, 2014, at 8:12 AM, Sabu Thaliyath <sabu.thaliyath at ...8...> wrote:

Hi Costas,
I tried "-k none" and "-P 9000" options also but no luck again. 
However, I have a new observation this time. I see gmail getting blocked when I used Chrome38 browser but not while using IE10 or Firefox27. I tried with old as well as new detector and found that gmail is blocked on both when I use Chrome.
Here are my rules (drop rule) :-
drop tcp [any] any <> any any (msg : "bing:drop"; appid: bing; sid:100000; rev:4; )
drop udp [any] any <> any any (msg : "bing:drop"; appid: bing; sid:100004; rev:4; )
drop tcp [any] any <> any any (msg : "gmail:drop"; appid: gmail; sid:100010; rev:4; )
drop udp [any] any <> any any (msg : "gmail:drop"; appid: gmail; sid:100014; rev:4; )
drop tcp [any] any <> any any (msg : "google_accounts:drop"; appid: google_accounts; sid:100017; rev:4; )
drop udp [any] any <> any any (msg : "google_accounts:drop"; appid: google_accounts; sid:100018; rev:4; )
drop tcp [any] any <> any any (msg : "google_drive:drop"; appid: google_drive; sid:100019; rev:4; )
drop udp [any] any <> any any (msg : "google_drive:drop"; appid: google_drive; sid:100020; rev:4; )

I am attaching here in this email
1) Alert and Drop output of gmail   (both from IE and Chrome)
2) Alert and drop Pcap files (both from IE and Chrome)

On Sun, Nov 2, 2014 at 5:54 AM, Costas Kleopa (ckleopa) <ckleopa at ...5...> wrote:

Have you tried using in your snort command line argumes the "-k none” for
not ignoring bad checksums, and “-P 9000” to allow packets with large PDU

traffic in it?

If that did not work please send us the snort rules you are using with AppID, 
some traffic with the alert output of the gmail rules and we will investigate it into detail. 


On Nov 1, 2014, at 8:18 AM, Sabu Thaliyath <sabu.thaliyath at ...8...> wrote:

Hi Costas,

Thanks..I downloaded the new version but still no luck ..It detects http sites perfectly but not https.

I tried http://mail.google.com and it blocked however it is unable to block https://mail.google.com .

Here is how my environment is setup.  (Just in case if env is the issue) 

Windows 7, IE 10 & FF 27 browsers as my client system

Linux Fedora 13 system as my default gateway with snort-openappid installed.

[root at ...50... openappid]# cat odp/version.conf
[root at ...50... openappid]#

Version GRE (Build 149)
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>

Here is the log of http website

Nov  1 17:38:26 Fedora13 snort[2819]: [1:100010:4] appid_gmail:block {TCP} ->

Just to be sure, I am going to try it on latest Ubuntu. 

If OS is not an issue here, then please let me know if there is any troubleshooting steps or logs I can get to help resolve this issue.


On Fri, Oct 31, 2014 at 10:16 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...> wrote:


We have actually released a new version of our detector package today at https://www.snort.org/downloads, in which we have also included the fix for this issue. 

Feel free to download that one and make sure that your version of the odp package would be the following:


Let us know if you are still seeing more issues after you test it with this one.


From: Sabu Thaliyath <sabu.thaliyath at ...8...>
Date: Friday, October 31, 2014 at 12:35 PM
To: "Snort-openappid at lists.sourceforge.net" <Snort-openappid at ...12...rge.net>
Subject: Re: [Snort-openappid] Gmail detection

Hi Costas,

I am facing the same issue as Payman. Tried tweaking ' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked. But no luck. I see none of the https websites or applications getting blocked. 

Is there any documentation on how lua/ssl_host_group_belvedere.lua works ? I read Opensource Detectors developer guide but still couldn't figure out much.

Any plans to fix this issue ?


Re: [Snort-openappid] Gmail detection
From: Costas Kleopa (ckleopa) <ckleopa at ...49...> - 2014-08-11 14:45:14 


Thank you for bringing it to our attention.

The correct configuration files for gmail are with the use of the the SSL Host patterns.
If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have the following patterns now.

 { 0, 655, '*.mail.google.com' },

 { 0, 655, 'imap.gmail.com' },

We will put the fix for this in our next release to allow the proper SSL patterns from gmail.com and mail.google.com.


From: Peyman Gohari <peyman.gohari.pub at ...39...<mailto:peyman.gohari.pub at ...55....39...>>
Date: Monday, August 11, 2014 at 10:04 AM
To: "snort-openappid at ...39...<mailto:snort-openappid at ...39...>" <snort-openappid at ...39...<mailto:snort-openappid at ...39...>>
Subject: [Snort-openappid] Gmail detection


  I have been trying OpenAppId using snort-
  I am quite happy with the result when it comes to detecting non HTTPS sites (ex:cnn.com<http://cnn.com>; as per the tutorial).
  However, for an obscure reason, it does not recognise Gmail. It seems that the code used for detecting Gmail sits in openappid/odp/lua/payload_gmail_userid.lua, with the core function being:

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
        gDetector:CHPCreateApp(655, 1, 0);
        gDetector:CHPAddAction(655, 1, 1, "mail.google.com<http://mail.google.com>";, 0, "");
        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
    return gDetector

  I am curious to understand how the recognition of sites like Gmail works. I am looking for documentation on the function CHPCreateApp or any explanation on how the function DetectorInit works. If someone can help me, that would be great.

Thanks for your help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141104/488a3d2a/attachment.html>

More information about the Snort-openappid mailing list