[Snort-openappid] Synology Cloud Station detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Tue Oct 4 09:17:04 EDT 2016

Can you send us a pcap for this also?

On Sep 30, 2016, at 11:24 AM, Y M <snort at ...46...<mailto:snort at ...46...>> wrote:


The attached detectors are for the client/server communication of Cloud Station - Synology's syncing client. The client detector is working as expected and each individual detection has been verified. However, I am having a hard time getting the server detector to work.

The sync handshake (TCP, port 6690 by default) fields sent by the client/server are clear (something like <field>|10 00 [1byte]|<value>) and the offsets seem to be consistent, at least among the models being tested. I would appreciate it if someone can take a look at these and tell what I am doing wrong. Going the route of using the flowTrackerModule, and defining SeriveAppID, AppID, something similar to the existing detectors (client_BitTorrent.lua and client_BitTorrent_Sync.lua) did not succeed either since (I guess) the ServiceID and AppID are/should be dynamically generated by OpenAppID.

Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20161004/1c29568d/attachment.html>

More information about the Snort-openappid mailing list