[Snort-openappid] MS Visual Studio Detector

Y M snort at ...46...
Thu May 21 14:43:43 EDT 2015


Below is a detector for MS Visual Studio - vs 2013 and vs2015 RC -  reaching out to the internet. In particular, most of the traffic is generated when accessing Tools --> Extensions and Updates sub menu. The http requests went without a user-agent.  Pcaps are available, please let me know if needed. Any comments are welcome; still in the "learning" phase :).

detection_name: Microsoft Visual Studio Update
version: 1
description: Detector for Microsoft Visual Update network traffic
metadata: OpenAppID Community

require "DetectorCommon"

local DC = DetectorCommon

gDetector = nil

DetectorPackageInfo = {
    name = "MS_VisualStudio",
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1

function DetectorInit(detectorInstance)

    gDetector = detectorInstance
    DC.printf("%s:DetectorIniti()\n", DetectorPackageInfo.name)

    gAppId = gDetector:open_createApp("ms_visualstudio");

    if gDetector.open_addUrlPattern then
        gDetector:open_addUrlPattern(0, 0, gAppId, "download.microsoft.com", "/VSUpdateTemplate.atom", "http:");
        gDetector:open_addUrlPattern(0, 0, gAppId, "code.msdn.microsoft.com", "/sample.svc", "http:");
        gDetector:open_addUrlPattern(0, 0, gAppId, "visualstudiogallary.msdn.microsoft.com", "/extension.svc", "http:");

    return gDetector;

function DetectorValidator()
    local context = {}
    return clientFail(context)

function DetectorClean()

function DetectorFini()


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150521/975bf174/attachment.html>

More information about the Snort-openappid mailing list