[Snort-openappid] Gmail detection

Sabu Thaliyath sabu.thaliyath at ...8...
Fri Oct 31 12:35:45 EDT 2014


Hi Costas,

I am facing the same issue as Payman. Tried tweaking
' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked.
But no luck. I see none of the https websites or applications getting
blocked.

Is there any documentation on how lua/ssl_host_group_belvedere.lua works ?
I read Opensource Detectors developer guide but still couldn't figure out
much.

Any plans to fix this issue ?

Regards,
Sabu


*Re: [Snort-openappid] Gmail detection
<http://sourceforge.net/p/snort/mailman/message/32704933/>*
From: Costas Kleopa (ckleopa) <ckleopa at ...49...> - 2014-08-11 14:45:14


Payman,

Thank you for bringing it to our attention.

The correct configuration files for gmail are with the use of the the
SSL Host patterns.
If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have
the following patterns now.


 { 0, 655, '*.mail.google.com' },

 { 0, 655, 'imap.gmail.com' },


We will put the fix for this in our next release to allow the proper
SSL patterns from gmail.com and mail.google.com.

Thanks
Costas

From: Peyman Gohari <peyman.gohari.pub at ...39...<mailto:peyman.gohari.pub at ...39...>>
Date: Monday, August 11, 2014 at 10:04 AM
To: "snort-openappid at ...39...<mailto:snort-openappid at ...39...>"
<snort-openappid at ...39...<mailto:snort-openappid at ...39...>>
Subject: [Snort-openappid] Gmail detection

Hi

  I have been trying OpenAppId using snort-2.9.7.0_beta.
  I am quite happy with the result when it comes to detecting non
HTTPS sites (ex:cnn.com<http://cnn.com>; as per the tutorial).
  However, for an obscure reason, it does not recognise Gmail. It
seems that the code used for detecting Gmail sits in
openappid/odp/lua/payload_gmail_userid.lua, with the core function
being:

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
        gDetector:CHPCreateApp(655, 1, 0);
        gDetector:CHPAddAction(655, 1, 1,
"mail.google.com<http://mail.google.com>";, 0, "");
        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
    end
    return gDetector
end

  I am curious to understand how the recognition of sites like Gmail
works. I am looking for documentation on the function CHPCreateApp or
any explanation on how the function DetectorInit works. If someone can
help me, that would be great.

Thanks for your help
PG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141031/ae87a46a/attachment.html>


More information about the Snort-openappid mailing list