[Snort-openappid] JetBrains Detector

Y M snort at ...46...
Thu May 21 14:53:02 EDT 2015


Another detector, not sure if it is useful or not. This one is for the JetBrains software - pyCharm and WebStorm - network traffic. 

In previous emails, Costas corrected a wrong assumption - AND instead of OR - I made about 2 open_addHttpPatterns for the same detector. My question in this case, does this OR relationship hold true when it comes to an open_addUrlPattern and an open_addHttpPattern in the same detector?

Again, any comments are welcome. Pcaps are also available if needed. 

detector_name: JetBrains
version: 1
description: Detetor for JetBrain software (pyCharm, WebStorm) network traffic
metadata: OpenAppID community

require "DetectorCommon"

local DC = DetectorCommon

gDetector = nil

DetectorPackageInfo = {
    name = "JetBrains",
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1

function DetectorInit(detectorInstance)

    gDetector = detectorInstance;
    DC.printf("%s:DetectorInit()\n", DetectorPackageInfo.name)

    gAppId = gDetector:open_createApp("jetbrains");

    if gDetector.open_addUrlPattern then
        -- Jetbrains pull new updates
        gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/updates/", "http:");
        -- Jetbrains pull new plugins
        gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/plugins/", "http:");
        -- Jetbrains pull new features
        gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/feature/", "http:");

        --[[ Above 3 url patterns may be summnerized into:
             gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/", "http:");

    if gDetector.open_addHttpPattern then
        -- Jetbrains used 2 different user-agents to pull data
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Java/");
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "NSIS_Inetc");

    return gDetector

function DetectorValidator()
    local context = {}
    return clientFail(context)

function DetectorClean()

function DetectorFini()

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150521/9fc2a83a/attachment.html>

More information about the Snort-openappid mailing list