[Snort-openappid] Gmail detection

Sabu Thaliyath sabu.thaliyath at ...8...
Tue Nov 11 08:18:27 EST 2014


Thanks William,

I tried as you suggested... blocked SSLv3 via iptables and it worked !!

- Sabu

On Sat, Nov 8, 2014 at 3:06 AM, William Arbaugh <waa at ...60...> wrote:

> Sabu,
>
> A rule to block SSLv3 in general without appid would probably be a good
> thing.
>
> Bill
>
> > On Nov 7, 2014, at 3:57 PM, Mike Stepanek (mstepane) <mstepane at ...5...>
> wrote:
> >
> > Sabu -
> >
> > Correct.  Your IE and Firefox are backing off to SSLv3 when their TLS
> attempt is being blocked.  Unfortunately, the SSLv3 handshake is skirting
> our detector.  Chrome, however, is not backing off to SSLv3, so it's
> effectively blocked.  This is being worked on and will be fixed in a future
> release.
> >
> > Thanks for the feedback!
> >
> > - Mike Stepanek
> >    mstepane at ...5...
> >
> >
> > From: Sabu Thaliyath [mailto:sabu.thaliyath at ...8...]
> > Sent: Monday, November 03, 2014 8:12 AM
> > To: Costas Kleopa (ckleopa)
> > Cc: Snort-openappid at lists.sourceforge.net
> > Subject: Re: [Snort-openappid] Gmail detection
> >
> > Hi Costas,
> >
> > I tried "-k none" and "-P 9000" options also but no luck again.
> >
> > However, I have a new observation this time. I see gmail getting blocked
> when I used Chrome38 browser but not while using IE10 or Firefox27. I tried
> with old as well as new detector and found that gmail is blocked on both
> when I use Chrome.
> >
> > Here are my rules (drop rule) :-
> >
> > drop tcp [any] any <> any any (msg : "bing:drop"; appid: bing;
> sid:100000; rev:4; )
> > drop udp [any] any <> any any (msg : "bing:drop"; appid: bing;
> sid:100004; rev:4; )
> > drop tcp [any] any <> any any (msg : "gmail:drop"; appid: gmail;
> sid:100010; rev:4; )
> > drop udp [any] any <> any any (msg : "gmail:drop"; appid: gmail;
> sid:100014; rev:4; )
> > drop tcp [any] any <> any any (msg : "google_accounts:drop"; appid:
> google_accounts; sid:100017; rev:4; )
> > drop udp [any] any <> any any (msg : "google_accounts:drop"; appid:
> google_accounts; sid:100018; rev:4; )
> > drop tcp [any] any <> any any (msg : "google_drive:drop"; appid:
> google_drive; sid:100019; rev:4; )
> > drop udp [any] any <> any any (msg : "google_drive:drop"; appid:
> google_drive; sid:100020; rev:4; )
> > I am attaching here in this email
> >
> > 1) Alert and Drop output of gmail   (both from IE and Chrome)
> > 2) Alert and drop Pcap files (both from IE and Chrome)
> >
> > Regards,
> > Sabu
> >
> > On Sun, Nov 2, 2014 at 5:54 AM, Costas Kleopa (ckleopa) <
> ckleopa at ...5...> wrote:
> > Have you tried using in your snort command line argumes the "-k none” for
> > not ignoring bad checksums, and “-P 9000” to allow packets with large PDU
> > traffic in it?
> >
> > If that did not work please send us the snort rules you are using with
> AppID,
> > some traffic with the alert output of the gmail rules and we will
> investigate it into detail.
> >
> > Thanks,
> > Costas
> >
> > On Nov 1, 2014, at 8:18 AM, Sabu Thaliyath <sabu.thaliyath at ...8...>
> wrote:
> >
> > Hi Costas,
> >
> > Thanks..I downloaded the new version but still no luck ..It detects http
> sites perfectly but not https.
> >
> > I tried http://mail.google.com and it blocked however it is unable to
> block https://mail.google.com .
> >
> > Here is how my environment is setup.  (Just in case if env is the issue)
> >
> > Windows 7, IE 10 & FF 27 browsers as my client system
> > Linux Fedora 13 system as my default gateway with snort-openappid
> installed.
> >
> > [root at ...50... openappid]# cat odp/version.conf
> > VERSION=223
> > [root at ...50... openappid]#
> >
> > Version 2.9.7.0 GRE (Build 149)
> > Using libpcap version 1.0.0
> > Using PCRE version: 7.8 2008-09-05
> > Using ZLIB version: 1.2.3
> > Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
> >
> >
> > Here is the log of http website
> >
> > Nov  1 17:38:26 Fedora13 snort[2819]: [1:100010:4] appid_gmail:block
> {TCP} MailScanner has detected a possible fraud attempt from
> "74.125.236.118" claiming to be 74.125.236.118:80 -> MailScanner warning:
> numerical links are often malicious: 192.168.121.99:64718
> >
> > Just to be sure, I am going to try it on latest Ubuntu.
> >
> > If OS is not an issue here, then please let me know if there is any
> troubleshooting steps or logs I can get to help resolve this issue.
> >
> > Regards,
> > Sabu
> >
> > On Fri, Oct 31, 2014 at 10:16 PM, Costas Kleopa (ckleopa) <
> ckleopa at ...5...> wrote:
> > Sabu,
> >
> > We have actually released a new version of our detector package today at
> https://www.snort.org/downloads, in which we have also included the fix
> for this issue.
> >
> > Feel free to download that one and make sure that your version of the
> odp package would be the following:
> >
> > odp/version.conf
> > VERSION=223
> >
> > Let us know if you are still seeing more issues after you test it with
> this one.
> >
> > Thanks
> > Costas
> >
> >
> > From: Sabu Thaliyath <sabu.thaliyath at ...8...>
> > Date: Friday, October 31, 2014 at 12:35 PM
> > To: "Snort-openappid at lists.sourceforge.net" <
> Snort-openappid at lists.sourceforge.net>
> > Subject: Re: [Snort-openappid] Gmail detection
> >
> > Hi Costas,
> >
> > I am facing the same issue as Payman. Tried tweaking '
> openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked. But
> no luck. I see none of the https websites or applications getting blocked.
> >
> > Is there any documentation on how lua/ssl_host_group_belvedere.lua works
> ? I read Opensource Detectors developer guide but still couldn't figure out
> much.
> >
> > Any plans to fix this issue ?
> >
> > Regards,
> > Sabu
> >
> >
> > Re: [Snort-openappid] Gmail detection
> > From: Costas Kleopa (ckleopa) <ckleopa at ...49...> - 2014-08-11 14:45:14
> >
> >
> > Payman,
> >
> > Thank you for bringing it to our attention.
> >
> > The correct configuration files for gmail are with the use of the the
> SSL Host patterns.
> > If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have
> the following patterns now.
> >
> >
> >  { 0, 655, '*.mail.google.com' },
> >
> >  { 0, 655, 'imap.gmail.com' },
> >
> >
> > We will put the fix for this in our next release to allow the proper SSL
> patterns from gmail.com and mail.google.com.
> >
> > Thanks
> > Costas
> >
> > From: Peyman Gohari <peyman.gohari.pub at ...39...<mailto:peyman.gohari.pub@
> ...>>
> > Date: Monday, August 11, 2014 at 10:04 AM
> > To: "snort-openappid at ...39...<mailto:snort-openappid at ...39...>" <snort-openappid@
> ...<mailto:snort-openappid at ...39...>>
> > Subject: [Snort-openappid] Gmail detection
> >
> > Hi
> >
> >   I have been trying OpenAppId using snort-2.9.7.0_beta.
> >   I am quite happy with the result when it comes to detecting non HTTPS
> sites (ex:cnn.com<MailScanner has detected a possible fraud attempt from "
> cnn.com>" claiming to be http://cnn.com>; as per the tutorial).
> >   However, for an obscure reason, it does not recognise Gmail. It seems
> that the code used for detecting Gmail sits in
> openappid/odp/lua/payload_gmail_userid.lua, with the core function being:
> >
> > function DetectorInit(detectorInstance)
> >     gDetector = detectorInstance
> >     if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
> >         gDetector:CHPCreateApp(655, 1, 0);
> >         gDetector:CHPAddAction(655, 1, 1, "mail.google.com<MailScanner
> has detected a possible fraud attempt from "mail.google.com>"" claiming
> to be http://mail.google.com>";, 0, "");
> >         gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
> >         gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
> >     end
> >     return gDetector
> > end
> >
> >   I am curious to understand how the recognition of sites like Gmail
> works. I am looking for documentation on the function CHPCreateApp or any
> explanation on how the function DetectorInit works. If someone can help me,
> that would be great.
> >
> > Thanks for your help
> > PG
> >
> >
> >
> ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-openappid mailing list
> > Snort-openappid at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-openappid
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141111/9a6b3f16/attachment.html>


More information about the Snort-openappid mailing list