[Snort-openappid] Apple Pipeline Testing detector

Y M snort at ...46...
Wed Aug 19 09:45:06 EDT 2015

I have noticed some OSX boxes doing this and I haven't seen it before. Google searches indicate it is legit, I have just never seen them before. Pcap available if required.
--[[detection_name: apple_piplineversion: 1description: Apple Pipeline Testing.--]]
require "DetectorCommon"local DC = DetectorCommon
local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "apple_pipline",        proto = proto,        server = {                init = 'DetectorInit',                clean = 'DetectorClean',                minimum_matches = 1        }}
function DetectorInit(detectorInstance)
        gDetector = detectorInstance;        gAppId = gDetector:open_createApp("apple_pipline");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "configuration.apple.com", "/configurations/pep/pipeline", "http:", "", gAppId);        end
        return gDetector;end
function DetectorClean()end
Thank you.YM 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150819/502db7d8/attachment.html>

More information about the Snort-openappid mailing list