[Snort-openappid] Apple Pipeline Testing detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Wed Aug 19 10:28:52 EDT 2015


Thanks for your contribution. If you can send us pcaps for those it would be great.

On Aug 19, 2015, at 9:45 AM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:

Hi,

I have noticed some OSX boxes doing this and I haven't seen it before. Google searches indicate it is legit, I have just never seen them before. Pcap available if required.

--[[
detection_name: apple_pipline
version: 1
description: Apple Pipeline Testing.
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "apple_pipline",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("apple_pipline");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "configuration.apple.com<http://configuration.apple.com/>", "/configurations/pep/pipeline", "http:", "", gAppId);
        end

        return gDetector;
end

function DetectorClean()
end

Thank you.
YM
------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150819/9d694a23/attachment.html>


More information about the Snort-openappid mailing list