[Snort-openappid] Synology Cloud Station detector

Y M snort at ...46...
Fri Sep 30 11:24:13 EDT 2016


The attached detectors are for the client/server communication of Cloud Station - Synology's syncing client. The client detector is working as expected and each individual detection has been verified. However, I am having a hard time getting the server detector to work.

The sync handshake (TCP, port 6690 by default) fields sent by the client/server are clear (something like <field>|10 00 [1byte]|<value>) and the offsets seem to be consistent, at least among the models being tested. I would appreciate it if someone can take a look at these and tell what I am doing wrong. Going the route of using the flowTrackerModule, and defining SeriveAppID, AppID, something similar to the existing detectors (client_BitTorrent.lua and client_BitTorrent_Sync.lua) did not succeed either since (I guess) the ServiceID and AppID are/should be dynamically generated by OpenAppID.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160930/fbe9a5e7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clds_client.lua
Type: application/octet-stream
Size: 849 bytes
Desc: clds_client.lua
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160930/fbe9a5e7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clds_server.lua
Type: application/octet-stream
Size: 819 bytes
Desc: clds_server.lua
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160930/fbe9a5e7/attachment-0001.obj>

More information about the Snort-openappid mailing list