[Snort-openappid] Gmail detection

Sabu Thaliyath sabu.thaliyath at ...8...
Fri Oct 31 12:35:45 EDT 2014

Hi Costas,

I am facing the same issue as Payman. Tried tweaking
' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked.
But no luck. I see none of the https websites or applications getting

Is there any documentation on how lua/ssl_host_group_belvedere.lua works ?
I read Opensource Detectors developer guide but still couldn't figure out

Any plans to fix this issue ?


*Re: [Snort-openappid] Gmail detection
From: Costas Kleopa (ckleopa) <ckleopa at ...49...> - 2014-08-11 14:45:14


Thank you for bringing it to our attention.

The correct configuration files for gmail are with the use of the the
SSL Host patterns.
If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have
the following patterns now.

 { 0, 655, '*.mail.google.com' },

 { 0, 655, 'imap.gmail.com' },

We will put the fix for this in our next release to allow the proper
SSL patterns from gmail.com and mail.google.com.


From: Peyman Gohari <peyman.gohari.pub at ...39...<mailto:peyman.gohari.pub at ...39...>>
Date: Monday, August 11, 2014 at 10:04 AM
To: "snort-openappid at ...39...<mailto:snort-openappid at ...39...>"
<snort-openappid at ...39...<mailto:snort-openappid at ...39...>>
Subject: [Snort-openappid] Gmail detection


  I have been trying OpenAppId using snort-
  I am quite happy with the result when it comes to detecting non
HTTPS sites (ex:cnn.com<http://cnn.com>; as per the tutorial).
  However, for an obscure reason, it does not recognise Gmail. It
seems that the code used for detecting Gmail sits in
openappid/odp/lua/payload_gmail_userid.lua, with the core function

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
        gDetector:CHPCreateApp(655, 1, 0);
        gDetector:CHPAddAction(655, 1, 1,
"mail.google.com<http://mail.google.com>";, 0, "");
        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
    return gDetector

  I am curious to understand how the recognition of sites like Gmail
works. I am looking for documentation on the function CHPCreateApp or
any explanation on how the function DetectorInit works. If someone can
help me, that would be great.

Thanks for your help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141031/ae87a46a/attachment.html>

More information about the Snort-openappid mailing list