[Snort-openappid] BlueStacks OpenAppID Detector‏

Y M snort at ...46...
Mon May 11 15:08:25 EDT 2015


Thank you Costas. Your comments are hugely appreciated and is exactly what I was looking for, awesome! I wanted to have separate apps but favored not to go for code repetition. With your additions it looks better now
Shortly, I will send you the pcap directly which includes both the client/server traffic.
Thanks again.YM

From: ckleopa at ...5...
To: snort at ...46...
Date: Mon, 11 May 2015 18:55:43 +0000
CC: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] BlueStacks OpenAppID Detector‏






YM,



Thank you for your contribution! It would be great if you can also provide us the respective pcaps, especially the ones from the client’s traffic, if you would like these to be included as some of the new detectors of our Open Source Package. 



From what we saw below, there were some issues which we added comments below: [ck]



Thanks
Costas




On May 11, 2015, at 2:18 PM, Y M <snort at ...46...> wrote:




Hi,





Since I did not find the BlueStacks app detector within the OpenAppID package, here is the code for the same detector (client_Bluestacks.lua). Any feedback (including rants :)) are welcome. Pcap can be provided if required.




--[[
detection_name: BlueStacks
version: 1
description: Detector for BlueStacks (Android Emulator/App Player) application network traffic.
metadata: OpenAppID community
]]--


require "DetectorCommon"
local DC = DetectorCommon


gDetector = nil


DetectorPackageInfo = {
    name = 'BlueStacks',
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1
    }
}




function DetectorInit(detectorInstance)
    gDetector = detectorInstance;


    gAppId = gDetector:open_createApp('bluestacks');


    if gDetector.open_addUrlPattern then
        -- An attempt to differentiate BlueStacks stages








[ck] You seem to be creating an array of a pattern list there for adding sub-classifications for blue stacks. 
We should probably have the generic 
bluestacks.com URL there also:







            gDetector:open_addUrlPattern(0, 0, gAppId, "bluestacks.com", "/", "http:”),













    gAppId = gDetector:open_createApp('bluestacks');







[ck] Not needed since you’re calling the API function below to add the following patterns.





--        gUrlPatternList = {  






[ck] If you wanted new Applications for these, then we will need to have a different gAppId value defined there:







    gAppId = gDetector:open_createApp('bluestacks_update');







            -- BlueStacks Update
            gDetector:open_addUrlPattern(0, 0, gAppId, "cdn.bluestacks.com",
 "/updates/", "http:”),





[ck] added





    gAppId = gDetector:open_createApp('bluestacks_download');








            -- BlueStacks Download components
            gDetector:open_addUrlPattern(0, 0, gAppId, "cdn.bluestacks.com",
 "/downloads/", "http:”),





[ck] added




    gAppId = gDetector:open_createApp('bluestacks_apps');










            -- BlueStacks Apps
            gDetector:open_addUrlPattern(0, 0, gAppId, "opasanet.appspot.com",
 "/op/", "http:”)







[ck] removed array list.





--        }
    end


    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, 'BlueStacks’);







[ck] this below is not needed since the one above is covering for it.



--        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "BlueStacks/");



    end





[ck] This for loop below is not needed since you have added these patterns already in the addURLPattern call above.




    if gDetector.open_addUrlPattern then
         for i,v in ipairs(gUrlPatternList) do
            gDetector:addAppUrl(v[1],v[2],v[3],v[4],v[5],v[6]);
        end
    end



[ck] — end remove.






    return gDetector;


end


function DetectorValidator()
    local context = {}
    return clientFail(context)
end


function DetectorFini()
end





Thanks.

YM

------------------------------------------------------------------------------
One
 dashboard for servers and applications across Physical-Virtual-Cloud 
Widest
 out-of-the-box monitoring support with 50+ applications
Performance
 metrics, stats and reports that give you Actionable Insights
Deep
 dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-openappid
 mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please
 visit http://blog.snort.org to
 stay current on all the latest Snort news!









------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150511/1a79e826/attachment.html>


More information about the Snort-openappid mailing list