[Snort-openappid] YoudaoDict OpenAppID Detector

Y M snort at ...46...
Wed May 13 17:13:50 EDT 2015


Thank you Costas. I understand your point regarding the issues as it feels that it canm be done a lot better. Pcaps will coming your way shortly.
Thanks.YM

From: ckleopa at ...5...
To: snort at ...46...
Date: Wed, 13 May 2015 21:06:16 +0000
CC: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] YoudaoDict OpenAppID Detector






Thanks for your contribution again. We will evaluate its use and see if we can add it to a future release of ours. 



We already see some issues with this, so if you can send us pcaps for validation again, we can describe into detail on the problems we see.



Costas





On May 13, 2015, at 4:44 PM, Y M <snort at ...46...> wrote:



Hi,




Below is openappid detector for YoudaoDict app. There are OS-based clients and the detector below documents some of them. The code is commented to reflect the documentation. Pcaps available if needed (client/server).



My first approach to tackle this was to use logic/flow similar to "client_Gnutella.lua", however, there were pieces I couldn't find any documentation for and had no luck getting it to work. Will try to give it another shot.



--[[
detection_name: YoudaoDict Pro
version: 1
description: Detector for YoudaoDict dictation and dictionary clients (Windwos, OS X, Android). There is a client for iOS, but not tested (no emulator).
metadata: OpenAppID community
]]--



require "DetectorCommon"
local DC = DetectorCommon



gDetector = nil



DetectorPackageInfo = {
    name = 'YoudaoDict',
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1
    }
}



function DetectorInit(detectorInstance)
    gDetector = detectorInstance;
    DC.printf ('%s:DetectorInit()\n', DetectorPackageInfo.name)



    --[[ There is a limitation on the maximum number of characters for the AppId passed to open_createApp
         Maximum number of allowed characters: 14
         Error message: Appname invalid
         Need to be added to OpenAppID documentation
    ]]--



    -- Detector for the Android client
    gAppId = gDetector:open_createApp('youdaodict_and')



    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Android")
    end



    -- Detector for Windows
    gAppId = gDetector:open_createApp('youdaodict_win')



    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "(windowspc)")
    end



    -- Detector for Windows client
    gAppId = gDetector:open_createApp('youdaodict_winc')



    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Youdao Desktop Dict")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Windows")
    end



    --[[ Detector for OS X. There are two versions of the same app
         One can be dowanloaded directly from the app website (tested below)
         Second can be downloaded from AppStore (not tested)
    ]]--
    gAppId = gDetector:open_createApp('youdaodict_osx')



    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "\230\156\137\233\129\147\232\175\141\229\133\184")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Darwin")
    end



    return gDetector;
end



function DetectorValidator()



    -- no logic here since validator is not called when traffic is HTTP.



    local context = {}
    return clientFail(context)
end



function DetectorFini()
end



Thanks.
YM

------------------------------------------------------------------------------
One
 dashboard for servers and applications across Physical-Virtual-Cloud 
Widest
 out-of-the-box monitoring support with 50+ applications
Performance
 metrics, stats and reports that give you Actionable Insights
Deep
 dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-openappid
 mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please
 visit http://blog.snort.org to
 stay current on all the latest Snort news!









------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150513/6f9e77f0/attachment.html>


More information about the Snort-openappid mailing list