[Snort-openappid] YoudaoDict OpenAppID Detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Wed May 13 17:06:16 EDT 2015


Thanks for your contribution again. We will evaluate its use and see if we can add it to a future release of ours.

We already see some issues with this, so if you can send us pcaps for validation again, we can describe into detail on the problems we see.

Costas

On May 13, 2015, at 4:44 PM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:

Hi,

Below is openappid detector for YoudaoDict app. There are OS-based clients and the detector below documents some of them. The code is commented to reflect the documentation. Pcaps available if needed (client/server).

My first approach to tackle this was to use logic/flow similar to "client_Gnutella.lua", however, there were pieces I couldn't find any documentation for and had no luck getting it to work. Will try to give it another shot.

--[[
detection_name: YoudaoDict Pro
version: 1
description: Detector for YoudaoDict dictation and dictionary clients (Windwos, OS X, Android). There is a client for iOS, but not tested (no emulator).
metadata: OpenAppID community
]]--

require "DetectorCommon"
local DC = DetectorCommon

gDetector = nil

DetectorPackageInfo = {
    name = 'YoudaoDict',
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1
    }
}

function DetectorInit(detectorInstance)
    gDetector = detectorInstance;
    DC.printf ('%s:DetectorInit()\n', DetectorPackageInfo.name)

    --[[ There is a limitation on the maximum number of characters for the AppId passed to open_createApp
         Maximum number of allowed characters: 14
         Error message: Appname invalid
         Need to be added to OpenAppID documentation
    ]]--

    -- Detector for the Android client
    gAppId = gDetector:open_createApp('youdaodict_and')

    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Android")
    end

    -- Detector for Windows
    gAppId = gDetector:open_createApp('youdaodict_win')

    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "(windowspc)")
    end

    -- Detector for Windows client
    gAppId = gDetector:open_createApp('youdaodict_winc')

    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Youdao Desktop Dict")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Windows")
    end

    --[[ Detector for OS X. There are two versions of the same app
         One can be dowanloaded directly from the app website (tested below)
         Second can be downloaded from AppStore (not tested)
    ]]--
    gAppId = gDetector:open_createApp('youdaodict_osx')

    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "\230\156\137\233\129\147\232\175\141\229\133\184")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Darwin")
    end

    return gDetector;
end

function DetectorValidator()

    -- no logic here since validator is not called when traffic is HTTP.

    local context = {}
    return clientFail(context)
end

function DetectorFini()
end

Thanks.
YM
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150513/2c85fcfe/attachment.html>


More information about the Snort-openappid mailing list