[Snort-openappid] Synology DSM app detector

Y M snort at ...46...
Fri Apr 15 10:17:02 EDT 2016


Hello all,


Below is an all-in-one detector for Synology DSM. The detector is also attached. Pcap is available.


--[[
detection_name: synology_dsm
version: 1
description: Synology is a Network Attached Storage (NAS) appliances running Synology's DSM Software.
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "synology_dsm",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("synology_dsm");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "keymaker.synology.com", "/VERSION", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "keymaker.synology.com", "/kerying", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "keymaker.synology.com", "/keyinfo-sys", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "update.synology.com", "/updatesynohdpack/getSynohdpack.php", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.synology.com", "/airprint/DSM", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "www.synology.com", "/cgi/knowledgebase/?action=", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "help.synology.com", "/dsm/cgi/help/?action=", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "checkip.synology.com", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "checkipv6.synology.com", "/", "http:", "", gAppId);
        end


        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Synology-", gAppId);
        end


        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "global.download.synology.com");
                -- This wild certificate is used within DSM as well as the public website
                gDetector:addSSLCnamePattern(0, gAppId, "*.synology.com");
        end

        return gDetector;
end

function DetectorClean()
end


Thank you.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160415/d5a669a8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: synology_dsm.lua
Type: application/octet-stream
Size: 1954 bytes
Desc: synology_dsm.lua
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160415/d5a669a8/attachment.obj>


More information about the Snort-openappid mailing list