[Snort-openappid] MS OneDrive additional detectors

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Jul 6 08:30:57 EDT 2015


Thanks again for your contribution. We will evaluate these detector and see what we can add to our roadmap. In the mean time, if you can share the pcaps with us it would be great.

Thanks
Costas

On Jul 5, 2015, at 6:58 PM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:

Hi,

While there are existing detectors for OneDrive, I thought of adding the below ones for additional detection. Please ignore them of they are of no interest. Pcaps available if required.

1- OneDrive on OS X:

--[[
detection_name: onedrive_osx
version: 1
description: Microsoft OneDrive (formerly SkyDrive) client for OS X.
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "onedrive_osx",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("onedrive_osx");

        -- URL is different than the one in existing detectors
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "OneDrive", gAppId);
        end

        return gDetector;
end

function DetectorClean()
end

2- OneDrive Quality of Service data upload:

--[[
detection_name: onedrive_qa_up
version: 1
description: Microsoft OneDrive (formerly SkyDrive) client upload of non-personal data to improve quality of service.
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "onedrive_qa_up",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("onedrive_qa_up");

        --[[ The similarities in the hostname + URL patterns may suggest that the Windows client of OneDrive
                uses the same User-Agent of Dr. Watson; MSDW.
                The hostname + URL patterns were observed with OS X version on OneDrive with different
                User-Agent.

        ]]--
        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "ssw.live.com<http://ssw.live.com/>", "/UploadData.aspx", "http:", "", gAppId);
        end

        return gDetector;
end

function DetectorClean()
end

3- Microsoft Compatibility Exchange Service:

--[[
detection_name: ms_comp_svc
version: 1
description: Detector for Microsoft Compatibility Exchange Service User-Agent (application compatibility). Observed on Windows 10 Build 10162.
Reference: technet.microsoft.com/en-us/library/cc766466<http://technet.microsoft.com/en-us/library/cc766466>(v=ws.10).aspx
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "ms_comp_svc",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("ms_comp_svc");

        --[[ The URL associated with this User-Agent eventually leads to:
                compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended<http://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended>
                See above reference for more information.
        ]]--
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "WicaAgent", gAppId);
        end

        return gDetector;
end

function DetectorClean()
end

Thanks.
YM

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150706/fd34377a/attachment.html>


More information about the Snort-openappid mailing list