[Snort-openappid] Synology DSM app detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Apr 18 10:07:30 EDT 2016


Thank you for your contribution. We will add this to our roadmap.

On Apr 15, 2016, at 10:17 AM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:

Hello all,

Below is an all-in-one detector for Synology DSM. The detector is also attached. Pcap is available.

--[[
detection_name: synology_dsm
version: 1
description: Synology is a Network Attached Storage (NAS) appliances running Synology's DSM Software.
--]]

require "DetectorCommon"
local DC = DetectorCommon

local proto = DC.ipproto.tcp;
DetectorPackageInfo = {
        name = "synology_dsm",
        proto = proto,
        server = {
                init = 'DetectorInit',
                clean = 'DetectorClean',
                minimum_matches = 1
        }
}

function DetectorInit(detectorInstance)

        gDetector = detectorInstance;
        gAppId = gDetector:open_createApp("synology_dsm");

        if gDetector.addAppUrl then
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "keymaker.synology.com<http://keymaker.synology.com/>", "/VERSION", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "keymaker.synology.com<http://keymaker.synology.com/>", "/kerying", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "keymaker.synology.com<http://keymaker.synology.com/>", "/keyinfo-sys", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "update.synology.com<http://update.synology.com/>", "/updatesynohdpack/getSynohdpack.php", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "download.synology.com<http://download.synology.com/>", "/airprint/DSM", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "www.synology.com<http://www.synology.com/>", "/cgi/knowledgebase/?action=", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "help.synology.com<http://help.synology.com/>", "/dsm/cgi/help/?action=", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "checkip.synology.com<http://checkip.synology.com/>", "/", "http:", "", gAppId);
                gDetector:addAppUrl(0, 0, 0, gAppId, 0, "checkipv6.synology.com<http://checkipv6.synology.com/>", "/", "http:", "", gAppId);
        end

        if gDetector.addHttpPattern then
                gDetector:addHttpPattern(2, 5, 0, gAppId, 0, 0, 0, "Synology-", gAppId);
        end

        if gDetector.addSSLCnamePattern then
                gDetector:addSSLCnamePattern(0, gAppId, "global.download.synology.com<http://global.download.synology.com/>");
                -- This wild certificate is used within DSM as well as the public website
                gDetector:addSSLCnamePattern(0, gAppId, "*.synology.com<http://synology.com/>");
        end

        return gDetector;
end

function DetectorClean()
end

Thank you.
YM
<synology_dsm.lua>------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160418/d984f3aa/attachment.html>


More information about the Snort-openappid mailing list