[Snort-openappid] MS Device Metadata System detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Tue Sep 8 10:22:10 EDT 2015

Thank you for your 2 contributions again. We will add this to our roadmap.

Please send us the traffic also if possible.


On Sep 5, 2015, at 12:47 PM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:


Another detector for the Device Metadata Retrieval Client, again based on user agent. Pcap is available.

detection_name: ms_dmrc
version: 1
description: Microsoft Windows Device Metadata Retrieval Client. Used by the Device Metadata System starting from Windows 7.
Reference: msdn.microsoft.com/en-us/library/windows/hardware/ff541449<http://msdn.microsoft.com/en-us/library/windows/hardware/ff541449>(v=vs.85).aspx

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "ms_dmrc",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("ms_dmrc");

        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT", gAppId);

        return gDetector;

function DetectorClean()

Thank you.
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150908/1d1a1cfc/attachment.html>

More information about the Snort-openappid mailing list