[Snort-openappid] EA Download Manager detector

Y M snort at ...46...
Wed Aug 19 09:41:47 EDT 2015


Hi,
The below detector is for the Electronic Arts (EA) games download manager, aka Origin. Pcaps are available if required.
--[[detection_name: ea_origin_dmversion: 1description: EA (Electronic Arts) Download Manager, A.K.A Origin.--]]
require "DetectorCommon"local DC = DetectorCommon
local proto = DC.ipproto.tcp;DetectorPackageInfo = {	name = "ea_origin_dm",	proto = proto,	server = {		init = 'DetectorInit',		clean = 'DetectorClean',		minimum_matches = 1	}}
function DetectorInit(detectorInstance)
	gDetector = detectorInstance;	gAppId = gDetector:open_createApp("ea_origin_dm");
	if gDetector.addAppUrl then		gDetector:addAppUrl(0, 0, 0, gAppId, 0, "heartbeat.dm.origin.com", "/", "http:", "", gAppId);		-- The below pattern may be weak to be used for detection.		gDetector:addAppUrl(0, 0, 0, gAppId, 0, "lvlt.cdn.ea.com", "/", "http:", "", gAppId);	end	if gDetector.addHttpPattern then		-- User-Agent below is used for both Windows and OS X versions of the app.		-- Further distinction can be made using the X- Extensions		gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "EA Download Manager Origin", gAppId);	end	if gDetector.addSSLCnamePattern then		gDetector:addSSLCnamePattern(0, gAppId, "dm.origin.com");		--[[ Below patterns are more tailored to the specifics of the app functions. Adding these here for completness rather than functionality.			- Create new chat group within the app			gDetector:addSSLCnamePattern(0, gAppId, "groups.gameservices.ea.com");			- Chat on a group			gDetector:addSSLCnamePattern(0, gAppId, "chat.dm.origin.com");			- App feeds			gDetector:addSSLCnamePattern(0, gAppId, "atom.dm.origin.com");			- App Web			gDetector:addSSLCnamePattern(0, gAppId, "web.dm.origin.com");			- App Avatar			gDetector:addSSLCnamePattern(0, gAppId, "avatar.dm.origin.com");		    Other certificates exist (dirtybits. and promomanager.)		]]--	end
	return gDetector;end
function DetectorClean()end
Thank you.YM 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150819/c67e35b4/attachment.html>


More information about the Snort-openappid mailing list