[Snort-openappid] AV Detectors

Y M snort at ...46...
Mon May 25 16:24:56 EDT 2015


Hi,
Below are detectors for multiple/some antivirus engines. Hopefully, will be adding more and updating the code. Cleaning up the pcaps for availability.
As usual, any comments are welcome. Thanks.YM
Heads up, this is going to be a long one.
--[[detection_name: AV Engines Detectosversion: 1description: Detectors for various Windows antivirus engines.metadata: OpenAddID communitybundle_description $VAR1: {          'AVG' => 'AVG Internet Security 15.1.0.9',          'Bitdefender' => 'Bitdefender Internet Security',          'F-Secure' => 'F-Secure Safe Network 3.03.103.0',          'KVRT' => 'Kaserpsky Free Virus Removal Tool 15.0.19.0',          'KIS' => 'Kaserpsky Internet Security 15.0.2.361',          'Malwarebytes' => 'Malwarebyte Anti-Malware 2.1.6.1022',          'McAfee' => 'McAfee Master Installer 7.6.0.0',          'Norton' => 'Norton Download Manager 5.0.0',          'Sophos' => 'Sophos Free Virus Removal Tool 2.5',          'SUPERAntiSpyware' => 'SUPERAntiSpyware Professional'        };--]]
require "DetectorCommon"local DC = DetectorCommon
local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "avg",        proto = proto,        server = {                init = 'DetectorInit',                --validate = 'DetectorValidate',                 clean = 'DetectorClean',        -- Must be added, otherwise error: (null): DetectorFini not provided                minimum_matches = 1        }}
function DetectorInit(detectorInstance)
        gDetector = detectorInstance;
        -- AVG        gAppId = gDetector:open_createApp("avg_av");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "update.avg.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "aa.avg.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "ctf.download.avg.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "static.avg.comg", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "av.download.avg.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "stub.avg.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "explabs.net", "/", "http:", "", gAppId);                 -- All of above UrlPatterns can substituted with "avg.com". This may register a user visiting AVG website since homepage is not SSL/TLS.        end        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "AVGDM-", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "AVGINET", gAppId);        end
        -- Bitdefender        gAppId = gDetector:open_createApp("bitdefender_av");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "patches-please-change-me.cdn.bitdefender.net", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.bitdefender.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "upgr-mmxv.cdn.bitdefender.net", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "nimbus.bitdefender.net", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "da3e3.com", "/qscan", "http:", "", gAppId);        end        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "BDNC v", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Bitdefender", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "BDDownload", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "WSLib", gAppId);        end                -- This does not work for some reason. Attempted OU and CN did not work.        if gDetector.addSSLCnamePattern then                gDetector:addSSLCnamePattern(0, gAppId, "Bitdefender SRL");        end
        -- F-Secure        gAppId = gDetector:open_createApp("fsecure_av");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "sp.f-secure.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "orsp.f-secure.com", "/", "http:", "", gAppId);        end        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "FsCcfDownload", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "FSORSP/", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "CCF DNS", gAppId);        end         if gDetector.addSSLCnamePattern then                gDetector:addSSLCnamePattern(0, gAppId, "F-Secure Corporation");        end
         -- KVRT & KIS         gAppId = gDetector:open_createApp("kaspersky_av");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "devbuilds.kaspersky-labs.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "dm.kaspersky-labs.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "slideshow.kaspersky-labs.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "geo.kaspersky.com", "/", "http:", "", gAppId);        end        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Kaspersky Downloader", gAppId);        end        if gDetector.addSSLCnamePattern then                gDetector:addSSLCnamePattern(0, gAppId, "Kaspersky Lab ZAO");                gDetector:addSSLCnamePattern(0, gAppId, "ksn-stat-install.kaspersky-labs.com");                gDetector:addSSLCnamePattern(0, gAppId, "activation.kaspersky.com");                gDetector:addSSLCnamePattern(0, gAppId, "activation-v2.kaspersky.com");        end
        -- Malwarebytes        gAppId = gDetector:open_createApp("malwarebytes_av");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "mbamupdates.com", "/", "http:", "", gAppId);        end        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "mbam -", gAppId);        end        if gDetector.addSSLCnamePattern then                gDetector:addSSLCnamePattern(0, gAppId, "Malwarebytes Corporation");                gDetector:addSSLCnamePattern(0, gAppId, "*.mwbsys.com");        end
        -- McAfee        gAppId = gDetector:open_createApp("mcafee_av");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.mcafee.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "data.hackerwatch.org", "/", "http:", "", gAppId);        end        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "McHttpH", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "MPFv", gAppId);        end        if gDetector.addSSLCnamePattern then                gDetector:addSSLCnamePattern(0, gAppId, "McAfee, Inc.");                gDetector:addSSLCnamePattern(0, gAppId, "*.mcafee.com");        end
        -- Norton        gAppId = gDetector:open_createApp("norton_av");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "liveupdate.symantecliveupdate.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "buy-download.norton.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "spoc-pool-gtm.norton.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "stats.norton.com", "/", "http:", "", gAppId);                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "csasmain.symantec.com", "/", "http:", "", gAppId);        end        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "NS/", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "FSD", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Norton/", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "DING", gAppId);        end        if gDetector.addSSLCnamePattern then                gDetector:addSSLCnamePattern(0, gAppId, "Symantec Corporation");                gDetector:addSSLCnamePattern(0, gAppId, "shasta-rrs.symantec.com");        end
        -- Sophos. Detection for this already exists in the OpenAppID Detector package.        gAppId = gDetector:open_createApp("sophos_av");
        if gDetector.addAppUrl then                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "sophosupd.com", "/", "http:", "", gAppId);        end        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SophosUpdateLibrary/", gAppId);        end        if gDetector.addSSLCnamePattern then                gDetector:addSSLCnamePattern(0, gAppId, "Sophos Ltd.");        end
        -- SUPERAntiSpyware        gAppId = gDetector:open_createApp("santispyware");
        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SASDef_GetDescriptor", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SABUPDATE", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SASDIAGNOSTICITEM", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SAS_APP", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SABACTIVATION", gAppId);                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SASThreatMap", gAppId);        end
        return gDetector;end
function DetectorValidator()    local context = {}    return clientFail(context)end
function DetectorClean()end
-- Must be added, otherwise error: (null): DetectorFini not providedfunction DetectorFini()end 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150525/7973d9f7/attachment.html>


More information about the Snort-openappid mailing list