[Snort-openappid] YoudaoDict OpenAppID Detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Thu May 14 09:04:30 EDT 2015


YM,

We have analyzed the pcaps you send to us. When it comes to including this detector to our open source package, we will include just one that would support the application for multiple OS’s. I understand you would like to track this with multiple OS and you can keep doing that by using your detector as one of your custom detectors. From what we see in the pcaps you are matching the User Agent strings of the HTTP traffic. Unfortunately you are assuming that when you call 2 open_addHttpPattern for the same AppID it will assume it’s an AND but it’s actually an OR. As a result when you have the keyword “Android” in it, it will match this AppID every time the useragent contains that keyword in their string. That will probably give you a lot of false positives.

Here’s some more details for each statement.

On May 13, 2015, at 4:44 PM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:

Hi,

Below is openappid detector for YoudaoDict app. There are OS-based clients and the detector below documents some of them. The code is commented to reflect the documentation. Pcaps available if needed (client/server).

My first approach to tackle this was to use logic/flow similar to "client_Gnutella.lua", however, there were pieces I couldn't find any documentation for and had no luck getting it to work. Will try to give it another shot.

--[[
detection_name: YoudaoDict Pro
version: 1
description: Detector for YoudaoDict dictation and dictionary clients (Windows, OS X, Android). There is a client for iOS, but not tested (no emulator).
metadata: OpenAppID community
]]--

require "DetectorCommon"
local DC = DetectorCommon

gDetector = nil

DetectorPackageInfo = {
    name = 'YoudaoDict',
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1
    }
}

function DetectorInit(detectorInstance)
    gDetector = detectorInstance;
    DC.printf ('%s:DetectorInit()\n', DetectorPackageInfo.name)

    --[[ There is a limitation on the maximum number of characters for the AppId passed to open_createApp
         Maximum number of allowed characters: 14
         Error message: Appname invalid
         Need to be added to OpenAppID documentation

[ck] We will make sure we add it in the future. We have already increased it to 64 in a future release of OpenAppID.

    ]]--

    -- Detector for the Android client
    gAppId = gDetector:open_createApp('youdaodict_and')

    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict”)
--        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Android”)
  — [ck] remove that.

    end

    -- Detector for Windows
    gAppId = gDetector:open_createApp('youdaodict_win')

    if gDetector.open_addHttpPattern then
[ck] change this to:         gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Youdao Desktop Dict (Windows”)
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict”)


--        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "(windowspc)”)
[ck] remove that.
    end

    -- Detector for Windows client
[ck] we don’t have a pcap for that to verify. I would just use the pattern above for the youdaodict_win detector above, so remove this below.
    gAppId = gDetector:open_createApp('youdaodict_winc')


    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Youdao Desktop Dict")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Windows")
    end

— [ck] end remove

    --[[ Detector for OS X. There are two versions of the same app
         One can be dowanloaded directly from the app website (tested below)
         Second can be downloaded from AppStore (not tested)
    ]]--
    gAppId = gDetector:open_createApp('youdaodict_osx')

    if gDetector.open_addHttpPattern then
[ck] since this is only comparing ascii values, you should use whatever the user agent string is including. replace this below from this
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "\230\156\137\233\129\147\232\175\141\229\133\184”)

[ck] to this:
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "%E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8”)

—[ck] remove that below.
--        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Darwin”)
    end


— [ck] I would also add the 2 http patterns in there too from their website so we can get their payloads covered too:

    gAppId = gDetector:open_createApp("youdaodict");

if gDetector.addAppUrl then
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "youdao.com<http://youdao.com>", "/", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "ydstatic.com<http://ydstatic.com>", "/", "http:", "", gAppId);
end

    return gDetector;
end

function DetectorValidator()

    -- no logic here since validator is not called when traffic is HTTP.

    local context = {}
    return clientFail(context)
end

function DetectorFini()
end

Thanks.
YM
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150514/a531d960/attachment.html>


More information about the Snort-openappid mailing list