[Snort-openappid] AV Detectors

snort at ...46... snort at ...46...
Tue May 26 09:48:20 EDT 2015


Thank you Costas.
Yes, I recall at least seeing avast, symantec, sophos live, in the resulting appstats.
I just added them in one file for logical grouping. It really does not matter.
YM

Sent from Mobile




On Tue, May 26, 2015 at 6:37 AM -0700, "Costas Kleopa (ckleopa)" <ckleopa at ...47.....5...> wrote:
Thank you for your contribution. We actually have some of them as separate detectors instead of just one that includes all of them. We will go over the ones we maybe missing and we will work on adding them as new detectors in our product. We will let you know if we need any specific pcaps from them.

Thanks
Costas

On May 25, 2015, at 4:24 PM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:

Hi,

Below are detectors for multiple/some antivirus engines. Hopefully, will be adding more and updating the code. Cleaning up the pcaps for availability.

As usual, any comments are welcome. Thanks.
YM

Heads up, this is going to be a long one.

--[[
detection_name: AV Engines Detectos
version: 1
description: Detectors for various Windows antivirus engines.
metadata: OpenAddID community
bundle_description $VAR1: {
          'AVG' => 'AVG Internet Security 15.1.0.9',
          'Bitdefender' => 'Bitdefender Internet Security',
          'F-Secure' => 'F-Secure Safe Network 3.03.103.0',
          'KVRT' => 'Kaserpsky Free Virus Removal Tool 15.0.19.0',
          'KIS' => 'Kaserpsky Internet Security 15.0.2.361',
          'Malwarebytes' => 'Malwarebyte Anti-Malware 2.1.6.1022',
          'McAfee' => 'McAfee Master Installer 7.6.0.0',
          'Norton' => 'Norton Download Manager 5.0.0',
          'Sophos' => 'Sophos Free Virus Removal Tool 2.5',
          'SUPERAntiSpyware' => 'SUPERAntiSpyware Professional'
        };
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "avg",
        proto = proto,
        server = {
                init = 'DetectorInit',
                --validate = 'DetectorValidate',
                clean = 'DetectorClean',        -- Must be added, otherwise error: (null): DetectorFini not provided
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;

        -- AVG
        gAppId = gDetector:open_createApp("avg_av");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "update.avg.com<http://update.avg.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "aa.avg.com<http://aa.avg.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "ctf.download.avg.com<http://ctf.download.avg.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "static.avg.comg", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "av.download.avg.com<http://av.download.avg.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "stub.avg.com<http://stub.avg.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "explabs.net<http://explabs.net/>", "/", "http:", "", gAppId);

                -- All of above UrlPatterns can substituted with "avg.com<http://avg.com/>". This may register a user visiting AVG website since homepage is not SSL/TLS.
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "AVGDM-", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "AVGINET", gAppId);
        end

        -- Bitdefender
        gAppId = gDetector:open_createApp("bitdefender_av");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "patches-please-change-me.cdn.bitdefender.net<http://patches-please-change-me.cdn.bitdefender.net/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.bitdefender.com<http://download.bitdefender.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "upgr-mmxv.cdn.bitdefender.net<http://upgr-mmxv.cdn.bitdefender.net/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "nimbus.bitdefender.net<http://nimbus.bitdefender.net/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "da3e3.com<http://da3e3.com/>", "/qscan", "http:", "", gAppId);
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "BDNC v", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Bitdefender", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "BDDownload", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "WSLib", gAppId);
        end

        -- This does not work for some reason. Attempted OU and CN did not work.
        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "Bitdefender SRL");
        end

        -- F-Secure
        gAppId = gDetector:open_createApp("fsecure_av");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "sp.f-secure.com<http://sp.f-secure.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "orsp.f-secure.com<http://orsp.f-secure.com/>", "/", "http:", "", gAppId);
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "FsCcfDownload", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "FSORSP/", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "CCF DNS", gAppId);
        end

        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "F-Secure Corporation");
        end

         -- KVRT & KIS
         gAppId = gDetector:open_createApp("kaspersky_av");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "devbuilds.kaspersky-labs.com<http://devbuilds.kaspersky-labs.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "dm.kaspersky-labs.com<http://dm.kaspersky-labs.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "slideshow.kaspersky-labs.com<http://slideshow.kaspersky-labs.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "geo.kaspersky.com<http://geo.kaspersky.com/>", "/", "http:", "", gAppId);
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Kaspersky Downloader", gAppId);
        end
        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "Kaspersky Lab ZAO");
                gDetector:addSSLCnamePattern(0, gAppId, "ksn-stat-install.kaspersky-labs.com<http://ksn-stat-install.kaspersky-labs.com/>");
                gDetector:addSSLCnamePattern(0, gAppId, "activation.kaspersky.com<http://activation.kaspersky.com/>");
                gDetector:addSSLCnamePattern(0, gAppId, "activation-v2.kaspersky.com<http://activation-v2.kaspersky.com/>");
        end

        -- Malwarebytes
        gAppId = gDetector:open_createApp("malwarebytes_av");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "mbamupdates.com<http://mbamupdates.com/>", "/", "http:", "", gAppId);
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "mbam -", gAppId);
        end
        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "Malwarebytes Corporation");
                gDetector:addSSLCnamePattern(0, gAppId, "*.mwbsys.com<http://mwbsys.com/>");
        end

        -- McAfee
        gAppId = gDetector:open_createApp("mcafee_av");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.mcafee.com<http://download.mcafee.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "data.hackerwatch.org<http://data.hackerwatch.org/>", "/", "http:", "", gAppId);
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "McHttpH", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "MPFv", gAppId);
        end
        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "McAfee, Inc.");
                gDetector:addSSLCnamePattern(0, gAppId, "*.mcafee.com<http://mcafee.com/>");
        end

        -- Norton
        gAppId = gDetector:open_createApp("norton_av");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "liveupdate.symantecliveupdate.com<http://liveupdate.symantecliveupdate.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "buy-download.norton.com<http://buy-download.norton.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "spoc-pool-gtm.norton.com<http://spoc-pool-gtm.norton.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "stats.norton.com<http://stats.norton.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "csasmain.symantec.com<http://csasmain.symantec.com/>", "/", "http:", "", gAppId);
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "NS/", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "FSD", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Norton/", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "DING", gAppId);
        end
        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "Symantec Corporation");
                gDetector:addSSLCnamePattern(0, gAppId, "shasta-rrs.symantec.com<http://shasta-rrs.symantec.com/>");
        end

        -- Sophos. Detection for this already exists in the OpenAppID Detector package.
        gAppId = gDetector:open_createApp("sophos_av");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "sophosupd.com<http://sophosupd.com/>", "/", "http:", "", gAppId);
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SophosUpdateLibrary/", gAppId);
        end
        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "Sophos Ltd.");
        end

        -- SUPERAntiSpyware
        gAppId = gDetector:open_createApp("santispyware");

        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SASDef_GetDescriptor", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SABUPDATE", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SASDIAGNOSTICITEM", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SAS_APP", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SABACTIVATION", gAppId);
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "SASThreatMap", gAppId);
        end

        return gDetector;
end

function DetectorValidator()
    local context = {}
    return clientFail(context)
end

function DetectorClean()
end

-- Must be added, otherwise error: (null): DetectorFini not provided
function DetectorFini()
end
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150526/33fc6759/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
-------------- next part --------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-openappid mailing list