[Snort-openappid] JetBrains Detector

Cliff Judge (cljudge) cljudge at ...5...
Thu May 21 17:12:44 EDT 2015


I am glad to be of help. 

"Complex" pattern matching such as you describe is not currently available, but will be in a future release. 

Thanks,
Cliff Judge

________________
From: Y M [snort at ...46...]
Sent: Thursday, May 21, 2015 3:46 PM
To: Cliff Judge (cljudge)
Cc: snort-openappid
Subject: RE: [Snort-openappid] JetBrains Detector

Awesome, I think I get it now. The "Java/" example you gave nailed it as I saw the particular Java detection in appstats.

This brings another question. If I want to force detection based on a URL pattern AND an HTTP pattern, say a User-Agent, at the same time such that: (if url_pattern = true and http_user_agent = true) then detection occurs, how can this be accomplished? In this case, a simple if statement will not help since both functions/calls are void.

Thanks again Cliff for the detailed explanation! The JetBrains pcap will be sent shortly. I will send the pcap for MS Visual Studio in its own existing thread to keep things tidy.

YM

> From: cljudge at ...5...
> To: snort at ...46...; snort-openappid at lists.sourceforge.net
> Date: Thu, 21 May 2015 19:26:25 +0000
> Subject: Re: [Snort-openappid] JetBrains Detector
>
>
> YM,
>
> Thank you very much for submitting these detectors. Could you please send along your pcaps?
>
> Yes, it is an OR relationship to use your words. Both open_addUrlPattern() and open_addHttpPattern() add patterns to the matching engine. If a match for any pattern is determined, that appId associated with that pattern is reported. Longest match is taken if there are multiple patterns.
>
> With regard to your URL patterns, you are essentially correct that your first three patterns can be summarized by the fourth, which only has the uri '/'. But if you wanted to, you could use each of the three above patterns to detect specific applications of their own, for example:
>
> gAppId_jb = gDetector:open_createApp("jetbrains");
> gAppId_jb_upload = gDetector:open_createApp("jetbrains upload");
> gAppId_jb_plugins =gDetector:open_createApp("jetbrains plugins");
> gAppId_jb_feature =gDetector:open_createApp("jetbrains feature");
>
> gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/", "http:");
> gDetector:open_addUrlPattern(0, 0, gAppId_upload, "jetbrains.com", "/updates/", "http:");
> gDetector:open_addUrlPattern(0, 0, gAppId_plugins, "jetbrains.com", "/plugins/", "http:");
> gDetector:open_addUrlPattern(0, 0, gAppId_feature, "jetbrains.com", "/feature/", "http:");
>
> ...and in case you were wondering you could do this all in one file.
>
> The only other reason to include the more explicit url patterns would be if you ONLY wanted those to fire your appId.
>
> With regard to your HTTP patterns for User-Agent, remember that all of the patterns of a particular type are thrown into the same pattern engine. So you should exercise caution when adding something like "Java/" since that is likely to be used in some other detector - perhaps for Java. :) You can grep through the lua directory to make sure you aren't overloading a pattern.
>
> Thanks very much,
> Cliff Judge
>
> ________________________________________
> From: Y M [snort at ...46...]
> Sent: Thursday, May 21, 2015 2:53 PM
> To: snort-openappid
> Subject: [Snort-openappid] JetBrains Detector
>
> Hi,
>
> Another detector, not sure if it is useful or not. This one is for the JetBrains software - pyCharm and WebStorm - network traffic.
>
> In previous emails, Costas corrected a wrong assumption - AND instead of OR - I made about 2 open_addHttpPatterns for the same detector. My question in this case, does this OR relationship hold true when it comes to an open_addUrlPattern and an open_addHttpPattern in the same detector?
>
> Again, any comments are welcome. Pcaps are also available if needed.
>
> --[[
> detector_name: JetBrains
> version: 1
> description: Detetor for JetBrain software (pyCharm, WebStorm) network traffic
> metadata: OpenAppID community
> ]]--
>
> require "DetectorCommon"
>
> local DC = DetectorCommon
>
> gDetector = nil
>
> DetectorPackageInfo = {
> name = "JetBrains",
> proto = DC.ipproto.tcp,
> client = {
> init = 'DetectorInit',
> validate = 'DetectorValidate',
> clean = 'DetectorClean',
> minimum_matches = 1
> }
> }
>
> function DetectorInit(detectorInstance)
>
> gDetector = detectorInstance;
> DC.printf("%s:DetectorInit()\n", DetectorPackageInfo.name)
>
> gAppId = gDetector:open_createApp("jetbrains");
>
> if gDetector.open_addUrlPattern then
> -- Jetbrains pull new updates
> gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/updates/", "http:");
> -- Jetbrains pull new plugins
> gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/plugins/", "http:");
> -- Jetbrains pull new features
> gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/feature/", "http:");
>
> --[[ Above 3 url patterns may be summnerized into:
> gDetector:open_addUrlPattern(0, 0, gAppId, "jetbrains.com", "/", "http:");
> ]]--
> end
>
> if gDetector.open_addHttpPattern then
> -- Jetbrains used 2 different user-agents to pull data
> gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "Java/");
> gDetector:open_addHttpPattern(2, 5, 0, gAppId, 0, "NSIS_Inetc");
> end
>
> return gDetector
> end
>
> function DetectorValidator()
> local context = {}
> return clientFail(context)
> end
>
> function DetectorClean()
> end
>
> function DetectorFini()
> end
>
> YM
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-openappid mailing list