[Snort-openappid] BlueStacks OpenAppID Detector‏

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon May 11 14:55:43 EDT 2015


YM,

Thank you for your contribution! It would be great if you can also provide us the respective pcaps, especially the ones from the client’s traffic, if you would like these to be included as some of the new detectors of our Open Source Package.

From what we saw below, there were some issues which we added comments below: [ck]

Thanks
Costas

On May 11, 2015, at 2:18 PM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:

Hi,

Since I did not find the BlueStacks app detector within the OpenAppID package, here is the code for the same detector (client_Bluestacks.lua). Any feedback (including rants :)) are welcome. Pcap can be provided if required.

--[[
detection_name: BlueStacks
version: 1
description: Detector for BlueStacks (Android Emulator/App Player) application network traffic.
metadata: OpenAppID community
]]--

require "DetectorCommon"
local DC = DetectorCommon

gDetector = nil

DetectorPackageInfo = {
    name = 'BlueStacks',
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1
    }
}


function DetectorInit(detectorInstance)
    gDetector = detectorInstance;

    gAppId = gDetector:open_createApp('bluestacks');

    if gDetector.open_addUrlPattern then
        -- An attempt to differentiate BlueStacks stages

[ck] You seem to be creating an array of a pattern list there for adding sub-classifications for blue stacks.
We should probably have the generic bluestacks.com<http://bluestacks.com> URL there also:

            gDetector:open_addUrlPattern(0, 0, gAppId, "bluestacks.com<http://cdn.bluestacks.com/>", "/", "http:”),


    gAppId = gDetector:open_createApp('bluestacks');

[ck] Not needed since you’re calling the API function below to add the following patterns.
--        gUrlPatternList = {

[ck] If you wanted new Applications for these, then we will need to have a different gAppId value defined there:

    gAppId = gDetector:open_createApp('bluestacks_update');
            -- BlueStacks Update
            gDetector:open_addUrlPattern(0, 0, gAppId, "cdn.bluestacks.com<http://cdn.bluestacks.com/>", "/updates/", "http:”),
[ck] added
    gAppId = gDetector:open_createApp('bluestacks_download');
            -- BlueStacks Download components
            gDetector:open_addUrlPattern(0, 0, gAppId, "cdn.bluestacks.com<http://cdn.bluestacks.com/>", "/downloads/", "http:”),
[ck] added
    gAppId = gDetector:open_createApp('bluestacks_apps');

            -- BlueStacks Apps
            gDetector:open_addUrlPattern(0, 0, gAppId, "opasanet.appspot.com<http://opasanet.appspot.com/>", "/op/", "http:”)

[ck] removed array list.
--        }
    end

    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, 'BlueStacks’);

[ck] this below is not needed since the one above is covering for it.

--        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "BlueStacks/");
    end

[ck] This for loop below is not needed since you have added these patterns already in the addURLPattern call above.
    if gDetector.open_addUrlPattern then
         for i,v in ipairs(gUrlPatternList) do
            gDetector:addAppUrl(v[1],v[2],v[3],v[4],v[5],v[6]);
        end
    end
[ck] — end remove.

    return gDetector;
end

function DetectorValidator()
    local context = {}
    return clientFail(context)
end

function DetectorFini()
end

Thanks.
YM
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150511/99932b46/attachment.html>


More information about the Snort-openappid mailing list