[Snort-openappid] YoudaoDict OpenAppID Detector

Y M snort at ...46...
Wed May 13 16:44:21 EDT 2015


Hi,

Below is openappid detector for YoudaoDict app. There are OS-based clients and the detector below documents some of them. The code is commented to reflect the documentation. Pcaps available if needed (client/server).
My first approach to tackle this was to use logic/flow similar to "client_Gnutella.lua", however, there were pieces I couldn't find any documentation for and had no luck getting it to work. Will try to give it another shot.
--[[detection_name: YoudaoDict Proversion: 1description: Detector for YoudaoDict dictation and dictionary clients (Windwos, OS X, Android). There is a client for iOS, but not tested (no emulator).metadata: OpenAppID community]]--
require "DetectorCommon"local DC = DetectorCommon
gDetector = nil
DetectorPackageInfo = {    name = 'YoudaoDict',    proto = DC.ipproto.tcp,    client = {        init = 'DetectorInit',        validate = 'DetectorValidate',        clean = 'DetectorClean',        minimum_matches = 1    }}
function DetectorInit(detectorInstance)    gDetector = detectorInstance;    DC.printf ('%s:DetectorInit()\n', DetectorPackageInfo.name)
    --[[ There is a limitation on the maximum number of characters for the AppId passed to open_createApp         Maximum number of allowed characters: 14         Error message: Appname invalid         Need to be added to OpenAppID documentation    ]]--
    -- Detector for the Android client    gAppId = gDetector:open_createApp('youdaodict_and')
    if gDetector.open_addHttpPattern then        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict")        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Android")    end
    -- Detector for Windows    gAppId = gDetector:open_createApp('youdaodict_win')
    if gDetector.open_addHttpPattern then        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict")        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "(windowspc)")    end
    -- Detector for Windows client    gAppId = gDetector:open_createApp('youdaodict_winc')
    if gDetector.open_addHttpPattern then        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Youdao Desktop Dict")        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Windows")    end
    --[[ Detector for OS X. There are two versions of the same app         One can be dowanloaded directly from the app website (tested below)         Second can be downloaded from AppStore (not tested)    ]]--    gAppId = gDetector:open_createApp('youdaodict_osx')
    if gDetector.open_addHttpPattern then        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "\230\156\137\233\129\147\232\175\141\229\133\184")        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Darwin")    end
    return gDetector;end
function DetectorValidator()
    -- no logic here since validator is not called when traffic is HTTP.
    local context = {}    return clientFail(context)end
function DetectorFini()end
Thanks.YM 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150513/353dd997/attachment.html>


More information about the Snort-openappid mailing list