[Snort-openappid] BlueStacks OpenAppID Detector‏

Y M snort at ...46...
Mon May 11 14:18:30 EDT 2015


Hi,
Since I did not find the BlueStacks app detector within the OpenAppID package, here is the code for the same detector (client_Bluestacks.lua). Any feedback (including rants :)) are welcome. Pcap can be provided if required.--[[detection_name: BlueStacksversion: 1description: Detector for BlueStacks (Android Emulator/App Player) application network traffic.metadata: OpenAppID community]]--require "DetectorCommon"local DC = DetectorCommongDetector = nilDetectorPackageInfo = {    name = 'BlueStacks',    proto = DC.ipproto.tcp,    client = {        init = 'DetectorInit',        validate = 'DetectorValidate',        clean = 'DetectorClean',        minimum_matches = 1    }}function DetectorInit(detectorInstance)    gDetector = detectorInstance;    gAppId = gDetector:open_createApp('bluestacks');    if gDetector.open_addUrlPattern then        -- An attempt to differentiate BlueStacks stages        gUrlPatternList = {            -- BlueStacks Update            gDetector:open_addUrlPattern(0, 0, gAppId, "cdn.bluestacks.com", "/updates/", "http:"),            -- BlueStacks Download components            gDetector:open_addUrlPattern(0, 0, gAppId, "cdn.bluestacks.com", "/downloads/", "http:"),            -- BlueStacks Apps            gDetector:open_addUrlPattern(0, 0, gAppId, "opasanet.appspot.com", "/op/", "http:")        }    end    if gDetector.open_addHttpPattern then        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, 'BlueStacks');        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "BlueStacks/");    end    if gDetector.open_addUrlPattern then         for i,v in ipairs(gUrlPatternList) do            gDetector:addAppUrl(v[1],v[2],v[3],v[4],v[5],v[6]);        end    end    return gDetector;endfunction DetectorValidator()    local context = {}    return clientFail(context)endfunction DetectorFini()endThanks.YM 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150511/12eed02c/attachment.html>


More information about the Snort-openappid mailing list