Snort mailing list archives
Re: [Snort-openappid] Gmail detection
From: Sabu Thaliyath <sabu.thaliyath () gmail com>
Date: Fri, 31 Oct 2014 22:06:59 +0530
Please ignore...intended to sent to snort-openappid instead of snort-users...My apologies Regards, Sabu On Fri, Oct 31, 2014 at 3:37 PM, Sabu Thaliyath <sabu.thaliyath () gmail com> wrote:
Hi Costas, I am facing the same issue as Payman. Tried tweaking ' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked. BUt no luck. I see none of the https websites or aaplications getting blocked. Is there any documentation on how lua/ssl_host_group_belvedere.lua works ? I read Opensource Detectors developer guide but still couldnt figure out much. Any plans to fix this issue ? Regards, Sabu *Re: [Snort-openappid] Gmail detection <http://sourceforge.net/p/snort/mailman/message/32704933/>* From: Costas Kleopa (ckleopa) <ckleopa@ci...> - 2014-08-11 14:45:14 Payman, Thank you for bringing it to our attention. The correct configuration files for gmail are with the use of the the SSL Host patterns. If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have the following patterns now. { 0, 655, '*.mail.google.com' }, { 0, 655, 'imap.gmail.com' }, We will put the fix for this in our next release to allow the proper SSL patterns from gmail.com and mail.google.com. Thanks Costas From: Peyman Gohari <peyman.gohari.pub@...<mailto:peyman.gohari.pub@...>> Date: Monday, August 11, 2014 at 10:04 AM To: "snort-openappid@...<mailto:snort-openappid@...>" <snort-openappid@...<mailto:snort-openappid@...>> Subject: [Snort-openappid] Gmail detection Hi I have been trying OpenAppId using snort-2.9.7.0_beta. I am quite happy with the result when it comes to detecting non HTTPS sites (ex:cnn.com<http://cnn.com>; as per the tutorial). However, for an obscure reason, it does not recognise Gmail. It seems that the code used for detecting Gmail sits in openappid/odp/lua/payload_gmail_userid.lua, with the core function being: function DetectorInit(detectorInstance) gDetector = detectorInstance if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then gDetector:CHPCreateApp(655, 1, 0); gDetector:CHPAddAction(655, 1, 1, "mail.google.com<http://mail.google.com>";, 0, ""); gDetector:CHPAddAction(655, 0, 3, "mail", 0, ""); gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&"); end return gDetector end I am curious to understand how the recognition of sites like Gmail works. I am looking for documentation on the function CHPCreateApp or any explanation on how the function DetectorInit works. If someone can help me, that would be great. Thanks for your help PG
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Snort-openappid] Gmail detection Sabu Thaliyath (Oct 31)
- Re: [Snort-openappid] Gmail detection Sabu Thaliyath (Oct 31)