[Snort-openappid] Mobatek Xterm detector

Y M snort at ...46...
Mon Nov 23 03:44:08 EST 2015


Hello,


Below detector is for the MobaTek SSH client/X11 server. Pcap is available as always.


--[[
detection_name: mobatek_xterm
version: 1
description: Tabbed terminal client for Windows with embedded X11 server.
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "mobatek_xterm",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("mobatek_xterm");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "mobaxterm.mobatek.net", "/lastver.php", "http:", "", gAppId);
        end
        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "MobaXterm", gAppId);
        end

        return gDetector;
end

function DetectorClean()
end


Thanks.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151123/593dd138/attachment.html>


More information about the Snort-openappid mailing list