[Snort-openappid] JetBrains Detector

Cliff Judge (cljudge) cljudge at ...5...
Thu May 21 15:26:25 EDT 2015


Thank you very much for submitting these detectors. Could you please send along your pcaps? 

Yes, it is an OR relationship to use your words. Both open_addUrlPattern() and open_addHttpPattern() add patterns to the matching engine. If a match for any pattern is determined, that appId associated with that pattern is reported. Longest match is taken if there are multiple patterns. 

With regard to your URL patterns, you are essentially correct that your first three patterns can be summarized by the fourth, which only has the uri '/'. But if you wanted to, you could use each of the three above patterns to detect specific applications of their own, for example:

gAppId_jb = gDetector:open_createApp("jetbrains");
gAppId_jb_upload = gDetector:open_createApp("jetbrains upload");
gAppId_jb_plugins =gDetector:open_createApp("jetbrains plugins");
gAppId_jb_feature =gDetector:open_createApp("jetbrains feature");

gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/", "http:");
gDetector:open_addUrlPattern(0, 0, gAppId_upload, "jetbrains.com", "/updates/", "http:");
gDetector:open_addUrlPattern(0, 0, gAppId_plugins, "jetbrains.com", "/plugins/", "http:");
gDetector:open_addUrlPattern(0, 0, gAppId_feature, "jetbrains.com", "/feature/", "http:");

...and in case you were wondering you could do this all in one file. 

The only other reason to include the more explicit url patterns would be if you ONLY wanted those to fire your appId. 

With regard to your HTTP patterns for User-Agent, remember that all of the patterns of a particular type are thrown into the same pattern engine. So you should exercise caution when adding something like "Java/" since that is likely to be used in some other detector - perhaps for Java. :) You can grep through the lua directory to make sure you aren't overloading a pattern.

Thanks very much,
Cliff Judge

From: Y M [snort at ...46...]
Sent: Thursday, May 21, 2015 2:53 PM
To: snort-openappid
Subject: [Snort-openappid] JetBrains Detector


Another detector, not sure if it is useful or not. This one is for the JetBrains software - pyCharm and WebStorm - network traffic.

In previous emails, Costas corrected a wrong assumption - AND instead of OR - I made about 2 open_addHttpPatterns for the same detector. My question in this case, does this OR relationship hold true when it comes to an open_addUrlPattern and an open_addHttpPattern in the same detector?

Again, any comments are welcome. Pcaps are also available if needed.

detector_name: JetBrains
version: 1
description: Detetor for JetBrain software (pyCharm, WebStorm) network traffic
metadata: OpenAppID community

require "DetectorCommon"

local DC = DetectorCommon

gDetector = nil

DetectorPackageInfo = {
    name = "JetBrains",
    proto = DC.ipproto.tcp,
    client = {
        init = 'DetectorInit',
        validate = 'DetectorValidate',
        clean = 'DetectorClean',
        minimum_matches = 1

function DetectorInit(detectorInstance)

    gDetector = detectorInstance;
    DC.printf("%s:DetectorInit()\n", DetectorPackageInfo.name)

    gAppId = gDetector:open_createApp("jetbrains");

    if gDetector.open_addUrlPattern then
        -- Jetbrains pull new updates
        gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/updates/", "http:");
        -- Jetbrains pull new plugins
        gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/plugins/", "http:");
        -- Jetbrains pull new features
        gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/feature/", "http:");

        --[[ Above 3 url patterns may be summnerized into:
             gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/", "http:");

    if gDetector.open_addHttpPattern then
        -- Jetbrains used 2 different user-agents to pull data
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Java/");
        gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "NSIS_Inetc");

    return gDetector

function DetectorValidator()
    local context = {}
    return clientFail(context)

function DetectorClean()

function DetectorFini()


More information about the Snort-openappid mailing list