[Snort-openappid] Gmail detection

Costas Kleopa (ckleopa) ckleopa at ...5...
Fri Oct 31 12:46:59 EDT 2014


We have actually released a new version of our detector package today at https://www.snort.org/downloads, in which we have also included the fix for this issue.

Feel free to download that one and make sure that your version of the odp package would be the following:



Let us know if you are still seeing more issues after you test it with this one.


From: Sabu Thaliyath <sabu.thaliyath at ...8...<mailto:sabu.thaliyath at ...8...>>
Date: Friday, October 31, 2014 at 12:35 PM
To: "Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...7...rceforge.net>" <Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>>
Subject: Re: [Snort-openappid] Gmail detection

Hi Costas,

I am facing the same issue as Payman. Tried tweaking ' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked. But no luck. I see none of the https websites or applications getting blocked.

Is there any documentation on how lua/ssl_host_group_belvedere.lua works ? I read Opensource Detectors developer guide but still couldn't figure out much.

Any plans to fix this issue ?


Re: [Snort-openappid] Gmail detection<http://sourceforge.net/p/snort/mailman/message/32704933/>
From: Costas Kleopa (ckleopa) <ckleopa at ...49...> - 2014-08-11 14:45:14


Thank you for bringing it to our attention.

The correct configuration files for gmail are with the use of the the SSL Host patterns.
If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have the following patterns now.

 { 0, 655, '*.mail.google.com<http://mail.google.com/>' },

 { 0, 655, 'imap.gmail.com<http://imap.gmail.com/>' },

We will put the fix for this in our next release to allow the proper SSL patterns from gmail.com<http://gmail.com/> and mail.google.com<http://mail.google.com/>.


From: Peyman Gohari <peyman.gohari.pub at ...39...<mailto:peyman.gohari.pub@<mailto:peyman.gohari.pub@>...>>
Date: Monday, August 11, 2014 at 10:04 AM
To: "snort-openappid at ...39...<mailto:snort-openappid@<mailto:snort-openappid@>...>" <snort-openappid at ...39...<mailto:snort-openappid@<mailto:snort-openappid@>...>>
Subject: [Snort-openappid] Gmail detection


  I have been trying OpenAppId using snort-
  I am quite happy with the result when it comes to detecting non HTTPS sites (ex:cnn.com<http://cnn.com/><http://cnn.com><http://cnn.com%3E/>; as per the tutorial).
  However, for an obscure reason, it does not recognise Gmail. It seems that the code used for detecting Gmail sits in openappid/odp/lua/payload_gmail_userid.lua, with the core function being:

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
        gDetector:CHPCreateApp(655, 1, 0);
        gDetector:CHPAddAction(655, 1, 1, "mail.google.com<http://mail.google.com/><http://mail.google.com>"<http://mail.google.com%3E%22/>;, 0, "");
        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
    return gDetector

  I am curious to understand how the recognition of sites like Gmail works. I am looking for documentation on the function CHPCreateApp or any explanation on how the function DetectorInit works. If someone can help me, that would be great.

Thanks for your help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141031/738e748c/attachment.html>

More information about the Snort-openappid mailing list