[Snort-openappid] MS Device Metadata System detector

Y M snort at ...46...
Sat Sep 5 12:47:17 EDT 2015




Hello,
Another detector for the Device Metadata Retrieval Client, again based on user agent. Pcap is available.
--[[detection_name: ms_dmrcversion: 1description: Microsoft Windows Device Metadata Retrieval Client. Used by the Device Metadata System starting from Windows 7.Reference: msdn.microsoft.com/en-us/library/windows/hardware/ff541449(v=vs.85).aspx--]]
require "DetectorCommon"local DC = DetectorCommon
local proto = DC.ipproto.tcp;DetectorPackageInfo = {        name = "ms_dmrc",        proto = proto,        server = {                init = 'DetectorInit',                clean = 'DetectorClean',                minimum_matches = 1        }}
function DetectorInit(detectorInstance)
        gDetector = detectorInstance;        gAppId = gDetector:open_createApp("ms_dmrc");
        if gDetector.addHttpPattern then                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT", gAppId);        end
        return gDetector;end
function DetectorClean()end
Thank you.YM
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150905/c3ecbf1f/attachment.html>


More information about the Snort-openappid mailing list