[Snort-openappid] NetSarang detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Oct 19 09:51:05 EDT 2015


Thanks for your contribution. We will add this to our roadmap. Please share the pcaps when ready.

Thanks,
Costas

On Oct 19, 2015, at 9:46 AM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:

Hello,

Below detector for NetSarang apps. Pcaps are available if needed.

--[[
detection_name: netsarang_x
version: 1
description: NetSarang X products inclduing Xshell, Xlpd, Xftp, and Xmanager.
Product URL: www.netsarang.com<http://www.netsarang.com>
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "netsarang_x",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("netsarang_x");

        if gDetector.addAppUrl then
                -- URLs when attemtping an update.
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "netsarang.com<http://netsarang.com>", "/trueupdate/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "netsarang.com<http://netsarang.com>", "/verchk/verchk.php", "http:", "", gAppId);
                --[[
                        URL when optional GhostScript installation is enabled during
                        NetSarang's Xpld installtion.
                --]]
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "netsarang.co.kr<http://netsarang.co.kr>", "/verchk/move.html", "http:", "", gAppId);

        end
        if gDetector.addHttpPattern then
                -- User-Agent when an update request is made.
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "TrueUpdate", gAppId);
                --[[
                        User-Agent when optional GhostScript installation is enabled during
                        NetSarang's Xpld installtion.
                --]]
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "toys::file", gAppId);
        end

        return gDetector;
end

function DetectorClean()
end

Thanks.
YM
------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151019/b9213eb5/attachment.html>


More information about the Snort-openappid mailing list