<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px;">
<div><font face="Verdana">Sabu,</font></div>
<div><font face="Verdana"><br>
</font></div>
<div><font face="Verdana">We have actually released a new version of our detector package today at https://www.snort.org/downloads, in which we have also included the fix for this issue. </font></div>
<div><font face="Verdana"><br>
</font></div>
<div><font face="Verdana">Feel free to download that one and make sure that your version of the odp package would be the following:</font></div>
<div><font face="Verdana"><br>
</font></div>
<div>
<p style="margin: 0px;"><font face="Verdana">odp/version.conf </font></p>
<p style="margin: 0px;"><font face="Verdana">VERSION=223</font></p>
</div>
<div><font face="Verdana"><br>
</font></div>
<div><font face="Verdana">Let us know if you are still seeing more issues after you test it with this one.</font></div>
<div><font face="Verdana"><br>
</font></div>
<div><font face="Verdana">Thanks</font></div>
<div><font face="Verdana">Costas</font></div>
<div style="font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><br>
</div>
<div style="font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif; color: rgb(0, 0, 0);">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Sabu Thaliyath <<a href="mailto:sabu.thaliyath@...8...">sabu.thaliyath@...8...</a>><br>
<span style="font-weight:bold">Date: </span>Friday, October 31, 2014 at 12:35 PM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:Snort-openappid@lists.sourceforge.net">Snort-openappid@lists.sourceforge.net</a>" <<a href="mailto:Snort-openappid@lists.sourceforge.net">Snort-openappid@lists.sourceforge.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Snort-openappid] Gmail detection<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">
<div style="font-family:arial,sans-serif;font-size:13px">Hi Costas,</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">I am facing the same issue as Payman. Tried tweaking ' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked. But no luck. I see none of the https websites or applications getting blocked. </div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">Is there any documentation on how lua/ssl_host_group_belvedere.lua works ? I read Opensource Detectors developer guide but still couldn't figure out much.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">Any plans to fix this issue ?</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">Regards,</div>
<div style="font-family:arial,sans-serif;font-size:13px">Sabu</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">
<table style="margin:0px 0px 20px 10px;padding:0px;border:0px;outline:0px;vertical-align:baseline;border-collapse:collapse;border-spacing:0px;width:765px;color:rgb(85,85,85);font-family:sans-serif;line-height:18px;background-image:initial;background-repeat:initial">
<tbody style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent">
<tr style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent">
<td style="padding:5px 10px;border-width:0px 0px 1px;border-bottom-style:solid;border-bottom-color:rgb(229,229,229);outline:0px;vertical-align:middle;white-space:nowrap;background:rgb(221,221,221)">
<div style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent">
<div style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent">
<b style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent"><a href="http://sourceforge.net/p/snort/mailman/message/32704933/" target="_blank" style="color:rgb(0,102,153);margin:0px;padding:0px;vertical-align:baseline;outline:none;text-decoration:none;background:transparent">Re:
 [Snort-openappid] Gmail detection</a></b></div>
<small style="margin:0px;padding:0px;border:0px;outline:0px;font-size:11px;vertical-align:baseline;background:transparent">From: Costas Kleopa (ckleopa) <ckleopa@...49...> - 2014-08-11 14:45:14</small>
<div style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent">
<small style="margin:0px;padding:0px;border:0px;outline:0px;font-size:11px;vertical-align:baseline;background:transparent"> </small></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">
<pre style="white-space:pre-wrap;margin-top:0px;margin-bottom:0px;padding:15px;border-width:0px 0px 0px 1px;border-left-style:solid;border-left-color:rgb(229,229,229);outline:0px;vertical-align:baseline;font-family:monospace,sans-serif;word-wrap:break-word;overflow:auto;color:rgb(85,85,85);line-height:18px;background-image:initial;background-repeat:initial">Payman,

Thank you for bringing it to our attention.

The correct configuration files for gmail are with the use of the the SSL Host patterns.
If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have the following patterns now.


 { 0, 655, '*.<a href="http://mail.google.com/" target="_blank">mail.google.com</a>' },

 { 0, 655, '<a href="http://imap.gmail.com/" target="_blank">imap.gmail.com</a>' },


We will put the fix for this in our next release to allow the proper SSL patterns from <a href="http://gmail.com/" target="_blank">gmail.com</a> and <a href="http://mail.google.com/" target="_blank">mail.google.com</a>.

Thanks
Costas

From: Peyman Gohari <peyman.gohari.pub@...39...<mailto:<a href="mailto:peyman.gohari.pub@" target="_blank">peyman.gohari.pub@</a>...>>
Date: Monday, August 11, 2014 at 10:04 AM
To: "snort-openappid@...39...<mailto:<a href="mailto:snort-openappid@" target="_blank">snort-openappid@</a>...>" <snort-openappid@...39...<mailto:<a href="mailto:snort-openappid@" target="_blank">snort-openappid@</a>...>>
Subject: [Snort-openappid] Gmail detection

Hi

  I have been trying OpenAppId using snort-2.9.7.0_beta.
  I am quite happy with the result when it comes to detecting non HTTPS sites (ex:<a href="http://cnn.com/" target="_blank">cnn.com</a><<a href="http://cnn.com%3E/" rel="nofollow" target="_blank" style="color:rgb(0,102,153);margin:0px;padding:0px;vertical-align:baseline;outline:none;text-decoration:none;background:transparent">http://cnn.com></a>; as per the tutorial).
  However, for an obscure reason, it does not recognise Gmail. It seems that the code used for detecting Gmail sits in openappid/odp/lua/payload_gmail_userid.lua, with the core function being:

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
        gDetector:CHPCreateApp(655, 1, 0);
        gDetector:CHPAddAction(655, 1, 1, "<a href="http://mail.google.com/" target="_blank">mail.google.com</a><<a href="http://mail.google.com%3E%22/" rel="nofollow" target="_blank" style="color:rgb(0,102,153);margin:0px;padding:0px;vertical-align:baseline;outline:none;text-decoration:none;background:transparent">http://mail.google.com>"</a>;, 0, "");
        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
    end
    return gDetector
end

  I am curious to understand how the recognition of sites like Gmail works. I am looking for documentation on the function CHPCreateApp or any explanation on how the function DetectorInit works. If someone can help me, that would be great.

Thanks for your help
PG</pre>
</div>
</div>
</div>
</div>
</span>
</body>
</html>