[Snort-openappid] WPS/Kingsoft Office detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Tue Jul 28 11:26:29 EDT 2015

Thank you for your contribution. If you can send us the traffic for those it would be great.


On Jul 26, 2015, at 8:25 AM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:


The "docer" user-agent was bugging me for a while . Please find below detector for the WPS office traffic (Windows + Android). The application is chatty and promotes ads heavily within the app itself. Pcaps are available, please let me know.

detection_name: wps_office
version: 1
description: A Chinese office suite known as WPS/Kingsoft. For further testing apps can be downloaded from:
        Windows --> wdl1[dot]cache[dot]wps[dot]cn/wps/download/W.P.S.5155.19.552.exe
        Android --> kad[dot]www[dot]wps[dot]cn/wps/download/android/kingsoftoffice_2052/moffice_cn00563.apk
        Linux   --> wdl1[dot]cache[dot]wps[dot]cn/wps/download/Linux/unstable/wps-office_8.1.0.3724~b1p2_i386.deb

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "wps_office",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("wps_office");

        -- Observed with Windows versions.
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "docer", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Update.WPS", gAppId);

        -- While the domain wps.cn<http://wps.cn/> is common between app versions, the Android version did not use any of the above User-Agents.
        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "wps.cn<http://wps.cn/>", "/", "http:", "", gAppId);

        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "wps.cn<http://wps.cn/>");

        return gDetector;

function DetectorClean()

Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150728/9c5969da/attachment.html>

More information about the Snort-openappid mailing list