[Snort-openappid] JetBrains Detector

Y M snort at ...46...
Thu May 21 15:46:14 EDT 2015


Awesome, I think I get it now. The "Java/" example you gave nailed it as I saw the particular Java detection in appstats. 

This brings another question. If I want to force detection based on a URL pattern AND an HTTP pattern, say a User-Agent, at the same time such that: (if url_pattern = true and http_user_agent = true) then detection occurs, how can this be accomplished? In this case, a simple if statement will not help since both functions/calls are void.

Thanks again Cliff for the detailed explanation! The JetBrains pcap will be sent shortly. I will send the pcap for MS Visual Studio in its own existing thread to keep things tidy.

YM

> From: cljudge at ...5...
> To: snort at ...46...; snort-openappid at lists.sourceforge.net
> Date: Thu, 21 May 2015 19:26:25 +0000
> Subject: Re: [Snort-openappid] JetBrains Detector
> 
> 
> YM,
> 
> Thank you very much for submitting these detectors. Could you please send along your pcaps? 
> 
> Yes, it is an OR relationship to use your words. Both open_addUrlPattern() and open_addHttpPattern() add patterns to the matching engine. If a match for any pattern is determined, that appId associated with that pattern is reported. Longest match is taken if there are multiple patterns. 
> 
> With regard to your URL patterns, you are essentially correct that your first three patterns can be summarized by the fourth, which only has the uri '/'. But if you wanted to, you could use each of the three above patterns to detect specific applications of their own, for example:
> 
> gAppId_jb = gDetector:open_createApp("jetbrains");
> gAppId_jb_upload = gDetector:open_createApp("jetbrains upload");
> gAppId_jb_plugins =gDetector:open_createApp("jetbrains plugins");
> gAppId_jb_feature =gDetector:open_createApp("jetbrains feature");
> 
> gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/", "http:");
> gDetector:open_addUrlPattern(0, 0, gAppId_upload, "jetbrains.com", "/updates/", "http:");
> gDetector:open_addUrlPattern(0, 0, gAppId_plugins, "jetbrains.com", "/plugins/", "http:");
> gDetector:open_addUrlPattern(0, 0, gAppId_feature, "jetbrains.com", "/feature/", "http:");
> 
> ...and in case you were wondering you could do this all in one file. 
> 
> The only other reason to include the more explicit url patterns would be if you ONLY wanted those to fire your appId. 
> 
> With regard to your HTTP patterns for User-Agent, remember that all of the patterns of a particular type are thrown into the same pattern engine. So you should exercise caution when adding something like "Java/" since that is likely to be used in some other detector - perhaps for Java. :) You can grep through the lua directory to make sure you aren't overloading a pattern.
> 
> Thanks very much,
> Cliff Judge
> 
> ________________________________________
> From: Y M [snort at ...46...]
> Sent: Thursday, May 21, 2015 2:53 PM
> To: snort-openappid
> Subject: [Snort-openappid] JetBrains Detector
> 
> Hi,
> 
> Another detector, not sure if it is useful or not. This one is for the JetBrains software - pyCharm and WebStorm - network traffic.
> 
> In previous emails, Costas corrected a wrong assumption - AND instead of OR - I made about 2 open_addHttpPatterns for the same detector. My question in this case, does this OR relationship hold true when it comes to an open_addUrlPattern and an open_addHttpPattern in the same detector?
> 
> Again, any comments are welcome. Pcaps are also available if needed.
> 
> --[[
> detector_name: JetBrains
> version: 1
> description: Detetor for JetBrain software (pyCharm, WebStorm) network traffic
> metadata: OpenAppID community
> ]]--
> 
> require "DetectorCommon"
> 
> local DC = DetectorCommon
> 
> gDetector = nil
> 
> DetectorPackageInfo = {
>     name = "JetBrains",
>     proto = DC.ipproto.tcp,
>     client = {
>         init = 'DetectorInit',
>         validate = 'DetectorValidate',
>         clean = 'DetectorClean',
>         minimum_matches = 1
>     }
> }
> 
> function DetectorInit(detectorInstance)
> 
>     gDetector = detectorInstance;
>     DC.printf("%s:DetectorInit()\n", DetectorPackageInfo.name)
> 
>     gAppId = gDetector:open_createApp("jetbrains");
> 
>     if gDetector.open_addUrlPattern then
>         -- Jetbrains pull new updates
>         gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/updates/", "http:");
>         -- Jetbrains pull new plugins
>         gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/plugins/", "http:");
>         -- Jetbrains pull new features
>         gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/feature/", "http:");
> 
>         --[[ Above 3 url patterns may be summnerized into:
>              gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/", "http:");
>         ]]--
>     end
> 
>     if gDetector.open_addHttpPattern then
>         -- Jetbrains used 2 different user-agents to pull data
>         gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Java/");
>         gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "NSIS_Inetc");
>     end
> 
>     return gDetector
> end
> 
> function DetectorValidator()
>     local context = {}
>     return clientFail(context)
> end
> 
> function DetectorClean()
> end
> 
> function DetectorFini()
> end
> 
> YM
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150521/26e34444/attachment.html>


More information about the Snort-openappid mailing list