[Snort-openappid] MS OneDrive additional detectors

Y M snort at ...46...
Sun Jul 5 18:58:06 EDT 2015


Hi,
While there are existing detectors for OneDrive, I thought of adding the below ones for additional detection. Please ignore them of they are of no interest. Pcaps available if required.
1- OneDrive on OS X:
--[[detection_name: onedrive_osxversion: 1description: Microsoft OneDrive (formerly SkyDrive) client for OS X.--]]
require "DetectorCommon"local DC = DetectorCommon
local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "onedrive_osx",        proto = proto,        server = {                init = 'DetectorInit',                clean = 'DetectorClean',                minimum_matches = 1        }}
function DetectorInit(detectorInstance)
        gDetector = detectorInstance;        gAppId = gDetector:open_createApp("onedrive_osx");
        -- URL is different than the one in existing detectors        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "OneDrive", gAppId);        end
        return gDetector;end
function DetectorClean()end
2- OneDrive Quality of Service data upload:
--[[detection_name: onedrive_qa_upversion: 1description: Microsoft OneDrive (formerly SkyDrive) client upload of non-personal data to improve quality of service.--]]
require "DetectorCommon"local DC = DetectorCommon
local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "onedrive_qa_up",        proto = proto,        server = {                init = 'DetectorInit',                clean = 'DetectorClean',                minimum_matches = 1        }}
function DetectorInit(detectorInstance)
        gDetector = detectorInstance;        gAppId = gDetector:open_createApp("onedrive_qa_up");
        --[[ The similarities in the hostname + URL patterns may suggest that the Windows client of OneDrive                uses the same User-Agent of Dr. Watson; MSDW.                The hostname + URL patterns were observed with OS X version on OneDrive with different                 User-Agent.
        ]]--        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "ssw.live.com", "/UploadData.aspx", "http:", "", gAppId);        end
        return gDetector;end
function DetectorClean()end
3- Microsoft Compatibility Exchange Service:
--[[detection_name: ms_comp_svcversion: 1description: Detector for Microsoft Compatibility Exchange Service User-Agent (application compatibility). Observed on Windows 10 Build 10162.Reference: technet.microsoft.com/en-us/library/cc766466(v=ws.10).aspx--]]
require "DetectorCommon"local DC = DetectorCommon
local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "ms_comp_svc",        proto = proto,        server = {                init = 'DetectorInit',                clean = 'DetectorClean',                minimum_matches = 1        }}
function DetectorInit(detectorInstance)
        gDetector = detectorInstance;        gAppId = gDetector:open_createApp("ms_comp_svc");
        --[[ The URL associated with this User-Agent eventually leads to:                compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended                See above reference for more information.        ]]--        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "WicaAgent", gAppId);        end
        return gDetector;end
function DetectorClean()end
Thanks.YM
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150705/4f00b38d/attachment.html>


More information about the Snort-openappid mailing list