[Snort-openappid] YoudaoDict OpenAppID Detector

Y M snort at ...46...
Thu May 14 15:34:33 EDT 2015


Thank you Costas for your comments. Now I have more questions and I also added comments to the detector :).
You are correct about my assumption of an AND relationship instead of OR. Now I see how this can create an issue. In this regard and similar cases, would the use of gPatterns and subsequently gFastPatterns would be the preferred approach?
In some of the existing detectors, I noticed the use of API calls that are not prefixed with "open_", such as registerPattern, registerAppId, getPcreGroups. Does this mean these calls are not yet open for use? I tried using the registerPattern and registerAppId in one of my attempts however I kept getting the error "Invalid direct client application AppId", which I couldn't find a way to troubleshoot.
Also, in some of the existing detectors, typeID is being used. What does the typeID refer to in relation with serviceID? In the documentation, types such as clientAppType and payloadAppType are marked as legacy. Are these related to typeID?
Thanks.YM
From: ckleopa at ...5...
To: snort at ...46...
Date: Thu, 14 May 2015 13:04:30 +0000
CC: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] YoudaoDict OpenAppID Detector






YM,



We have analyzed the pcaps you send to us. When it comes to including this detector to our open source package, we will include just one that would support the application for multiple OS’s. I understand you would like to track this with multiple
 OS and you can keep doing that by using your detector as one of your custom detectors. From what we see in the pcaps you are matching the User Agent strings of the HTTP traffic. Unfortunately you are assuming that when you call 2 open_addHttpPattern for the
 same AppID it will assume it’s an AND but it’s actually an OR. As a result when you have the keyword “Android” in it, it will match this AppID every time the useragent contains that keyword in their string. That will probably give you a lot of false positives. 



Here’s some more details for each statement.





On May 13, 2015, at 4:44 PM, Y M <snort at ...46...> wrote:



Hi,




Below is openappid detector for YoudaoDict app. There are OS-based clients and the detector below documents some of them. The code is commented to reflect the documentation. Pcaps available if needed (client/server).



My first approach to tackle this was to use logic/flow similar to "client_Gnutella.lua", however, there were pieces I couldn't find any documentation for and had no luck getting it to work. Will try to give it another shot.



--[[
detection_name: YoudaoDict Pro
version: 1
description: Detector for YoudaoDict dictation and dictionary clients (Windows, OS X, Android). There is a client for iOS, but not tested (no emulator).
metadata: OpenAppID community
]]--



require "DetectorCommon"
local DC = DetectorCommon



gDetector = nil



DetectorPackageInfo = {
    name = 'YoudaoDict',
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1
    }
}



function DetectorInit(detectorInstance)
    gDetector = detectorInstance;
    DC.printf ('%s:DetectorInit()\n', DetectorPackageInfo.name)



    --[[ There is a limitation on the maximum number of characters for the AppId passed to open_createApp
         Maximum number of allowed characters: 14
         Error message: Appname invalid
         Need to be added to OpenAppID documentation







[ck] We will make sure we add it in the future. We have already increased it to 64 in a future release of OpenAppID.
[ym] Thanks.





    ]]--



    -- Detector for the Android client
    gAppId = gDetector:open_createApp('youdaodict_and')



    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict”)








--        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Android”)




  — [ck] remove that. 







    end



    -- Detector for Windows
    gAppId = gDetector:open_createApp('youdaodict_win')



    if gDetector.open_addHttpPattern then




[ck] change this to:         gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Youdao Desktop Dict (Windows”)





        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "youdaodict”)












--        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "(windowspc)”)




[ck] remove that.





    end



    -- Detector for Windows client 




[ck] we don’t have a pcap for that to verify. I would just use the pattern above for the youdaodict_win detector above, so remove this below.
[ym] The pattern should be in the pcap named youdao_win as one of the user_agents used. For example streams 3 and 7





    gAppId = gDetector:open_createApp('youdaodict_winc')













    if gDetector.open_addHttpPattern then
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Youdao Desktop Dict")
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Windows")
    end







— [ck] end remove







    --[[ Detector for OS X. There are two versions of the same app
         One can be dowanloaded directly from the app website (tested below)
         Second can be downloaded from AppStore (not tested)
    ]]--
    gAppId = gDetector:open_createApp('youdaodict_osx')



    if gDetector.open_addHttpPattern then




[ck] since this is only comparing ascii values, you should use whatever the user agent string is including. replace this below from this





        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "\230\156\137\233\129\147\232\175\141\229\133\184”)








[ck] to this:





        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "%E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8”)














—[ck] remove that below.





--        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Darwin”)








    end










— [ck] I would also add the 2 http patterns in there too from their website so we can get their payloads covered too:[ym] This a good suggestion, thanks.




    gAppId = gDetector:open_createApp("youdaodict");



if gDetector.addAppUrl then
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "youdao.com", "/", "http:", "", gAppId);
gDetector:addAppUrl(0, 0, 0, gAppId, 0, "ydstatic.com", "/", "http:", "", gAppId);
end







    return gDetector;
end



function DetectorValidator()



    -- no logic here since validator is not called when traffic is HTTP.



    local context = {}
    return clientFail(context)
end



function DetectorFini()
end



Thanks.
YM


------------------------------------------------------------------------------

One dashboard for servers and applications across Physical-Virtual-Cloud 

Widest out-of-the-box monitoring support with 50+ applications

Performance metrics, stats and reports that give you Actionable Insights

Deep dive visibility with transaction tracing using APM Insight.

http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________

Snort-openappid mailing list

Snort-openappid at lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/snort-openappid



Please visit http://blog.snort.org to stay current on all the latest Snort news!








------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150514/3b54aa07/attachment.html>


More information about the Snort-openappid mailing list