[Snort-openappid] WPS/Kingsoft Office detector

Y M snort at ...46...
Sun Jul 26 08:25:12 EDT 2015


Hi
The "docer" user-agent was bugging me for a while . Please find below detector for the WPS office traffic (Windows + Android). The application is chatty and promotes ads heavily within the app itself. Pcaps are available, please let me know.
--[[detection_name: wps_officeversion: 1description: A Chinese office suite known as WPS/Kingsoft. For further testing apps can be downloaded from:        Windows --> wdl1[dot]cache[dot]wps[dot]cn/wps/download/W.P.S.5155.19.552.exe        Android --> kad[dot]www[dot]wps[dot]cn/wps/download/android/kingsoftoffice_2052/moffice_cn00563.apk        Linux   --> wdl1[dot]cache[dot]wps[dot]cn/wps/download/Linux/unstable/wps-office_8.1.0.3724~b1p2_i386.deb--]]
require "DetectorCommon"local DC = DetectorCommon
local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "wps_office",        proto = proto,        server = {                init = 'DetectorInit',                clean = 'DetectorClean',                minimum_matches = 1        }}
function DetectorInit(detectorInstance)
        gDetector = detectorInstance;        gAppId = gDetector:open_createApp("wps_office");
        -- Observed with Windows versions.        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "docer", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Update.WPS", gAppId);        end
        -- While the domain wps.cn is common between app versions, the Android version did not use any of the above User-Agents.        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "wps.cn", "/", "http:", "", gAppId);        end
        if gDetector.addSSLCnamePattern then                gDetector:addSSLCnamePattern(0, gAppId, "wps.cn");        end
        return gDetector;end
function DetectorClean()end
Thanks.YM 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150726/59bcf869/attachment.html>


More information about the Snort-openappid mailing list