Snort mailing list archives

Re: [Snort-openappid] Gmail detection

From: Sabu Thaliyath <sabu.thaliyath () gmail com>
Date: Fri, 31 Oct 2014 15:37:23 +0530

Hi Costas,

I am facing the same issue as Payman. Tried tweaking
' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked.
BUt no luck. I see none of the https websites or aaplications getting
blocked.

Is there any documentation on how lua/ssl_host_group_belvedere.lua works ?
I read Opensource Detectors developer guide but still couldnt figure out
much.

Any plans to fix this issue ?

Regards,
Sabu


*Re: [Snort-openappid] Gmail detection
<http://sourceforge.net/p/snort/mailman/message/32704933/>*
From: Costas Kleopa (ckleopa) <ckleopa@ci...> - 2014-08-11 14:45:14


Payman,

Thank you for bringing it to our attention.

The correct configuration files for gmail are with the use of the the
SSL Host patterns.
If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have
the following patterns now.


 { 0, 655, '*.mail.google.com' },

 { 0, 655, 'imap.gmail.com' },


We will put the fix for this in our next release to allow the proper
SSL patterns from gmail.com and mail.google.com.

Thanks
Costas

From: Peyman Gohari <peyman.gohari.pub@...<mailto:peyman.gohari.pub@...>>
Date: Monday, August 11, 2014 at 10:04 AM
To: "snort-openappid@...<mailto:snort-openappid@...>"
<snort-openappid@...<mailto:snort-openappid@...>>
Subject: [Snort-openappid] Gmail detection

Hi

  I have been trying OpenAppId using snort-2.9.7.0_beta.
  I am quite happy with the result when it comes to detecting non
HTTPS sites (ex:cnn.com<http://cnn.com>; as per the tutorial).
  However, for an obscure reason, it does not recognise Gmail. It
seems that the code used for detecting Gmail sits in
openappid/odp/lua/payload_gmail_userid.lua, with the core function
being:

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then
        gDetector:CHPCreateApp(655, 1, 0);
        gDetector:CHPAddAction(655, 1, 1,
"mail.google.com<http://mail.google.com>";, 0, "");
        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");
        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");
    end
    return gDetector
end

  I am curious to understand how the recognition of sites like Gmail
works. I am looking for documentation on the function CHPCreateApp or
any explanation on how the function DetectorInit works. If someone can
help me, that would be great.

Thanks for your help
PG

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: [Snort-openappid] Gmail detection Sabu Thaliyath (Oct 31)
- Re: [Snort-openappid] Gmail detection Sabu Thaliyath (Oct 31)