[Snort-openappid] NetSarang detector

Y M snort at ...46...
Mon Oct 19 09:46:03 EDT 2015


Hello,

Below detector for NetSarang apps. Pcaps are available if needed.

--[[
detection_name: netsarang_x
version: 1
description: NetSarang X products inclduing Xshell, Xlpd, Xftp, and Xmanager.
Product URL: www.netsarang.com
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "netsarang_x",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("netsarang_x");

        if gDetector.addAppUrl then
                -- URLs when attemtping an update.
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "netsarang.com", "/trueupdate/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "netsarang.com", "/verchk/verchk.php", "http:", "", gAppId);
                --[[ 
                        URL when optional GhostScript installation is enabled during
                        NetSarang's Xpld installtion.
                --]]
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "netsarang.co.kr", "/verchk/move.html", "http:", "", gAppId);

        end
        if gDetector.addHttpPattern then
                -- User-Agent when an update request is made.
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "TrueUpdate", gAppId);
                --[[ 
                        User-Agent when optional GhostScript installation is enabled during
                        NetSarang's Xpld installtion.
                --]]
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "toys::file", gAppId);
        end

        return gDetector;
end

function DetectorClean()
end

Thanks.
YM
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151019/e9ac6b19/attachment.html>


More information about the Snort-openappid mailing list