• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Nintendo Switch and repeated cURL use

Scheduled Pinned Locked Moved Gaming
15 Posts 2 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JonathanLee
    last edited by JonathanLee Nov 13, 2023, 9:40 PM Nov 13, 2023, 9:36 PM

    Over Snorts AppID I am constantly seeing our Nintendo Switch using cUR. Is this pretty standard? Or is it possible to have a bug on a new Switch out of the box?

    From appMapping.data
    596 cURL 0 36 0 ~ curl

    This is seen with my user created text rule over and over when AppID is running.

    alert tcp any any -> any any (msg:"cURL"; appid:curl; sid:1000438; rev:1)

    Make sure to upvote

    M 1 Reply Last reply Nov 13, 2023, 9:49 PM Reply Quote 0
    • M
      mcury @JonathanLee
      last edited by Nov 13, 2023, 9:49 PM

      @JonathanLee I don't think there is a single rule in Snort/AppID that can help to protect a Nintendo Switch, or if that should be behind an IPS/IDS.

      I just searched Snort website, and it seems that the last update to AppID was in 2017-09-05.
      Info: https://www.snort.org/downloads/snort/changelog_2.9.20.txt

      I didn't search a lot in Snort website, so I could be wrong about this.

      dead on arrival, nowhere to be found.

      J 1 Reply Last reply Nov 13, 2023, 10:04 PM Reply Quote 0
      • J
        JonathanLee @mcury
        last edited by JonathanLee Nov 13, 2023, 10:07 PM Nov 13, 2023, 10:04 PM

        @mcury I use every AppID with custom text rules.

        I can detect Nintendo use and many others.

        https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes?_=1699913000461

        you just have to map text rules to the AppId's appmapping.data file. My

        textrules2.txt

        My Nintendo keeps running cURL.

        Make sure to upvote

        M 1 Reply Last reply Nov 13, 2023, 10:08 PM Reply Quote 2
        • M
          mcury @JonathanLee
          last edited by mcury Nov 13, 2023, 10:13 PM Nov 13, 2023, 10:08 PM

          @JonathanLee said in Nintendo Switch and repeated cURL use:

          @mcury I use every AppID with custom text rules.

          I can detect Nintendo use and many others.

          https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes?_=1699913000461

          you just have to map text rules to the AppId's appmapping.data file. My

          textrules2.txt

          My Nintendo keeps running cURL.

          Nice, good job 👍
          Thanks for sharing that link, there is a holiday coming and I'll probably be playing with it :)

          edit: How can that file appMapping.data can have ChatGPT in it, if it is from 2017 ?
          I'm probably wrong about the last update regarding AppID ?

          dead on arrival, nowhere to be found.

          J 1 Reply Last reply Nov 13, 2023, 10:17 PM Reply Quote 1
          • J
            JonathanLee @mcury
            last edited by Nov 13, 2023, 10:17 PM

            @mcury Thanks this is AppID's rule for Nintendo mapped to my custom text rule.

            It works great.

            Screenshot 2023-11-13 at 2.15.18 PM.png

            Make sure to upvote

            M 1 Reply Last reply Nov 13, 2023, 10:21 PM Reply Quote 1
            • J
              JonathanLee
              last edited by Nov 13, 2023, 10:21 PM

              I am starting to wonder if it is possible for someone to introduce a Pen testing softwarwe version of a Switch into a Network, that would be really sneaky like. Hackaday lists dozens of Nintendo switch items.

              Make sure to upvote

              1 Reply Last reply Reply Quote 0
              • M
                mcury @JonathanLee
                last edited by Nov 13, 2023, 10:21 PM

                @JonathanLee Really nice..

                So Nintendo uses a different User-agent ?

                alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-OTHER Nintendo User-Agent detected"; flow:established,to_server; http_header; content:"User-Agent|3A|"; content:"nintendo",distance 0,fast_pattern,nocase; pcre:"/^User-Agent\x3a[^\r\n]*nintendo/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25525; rev:3; )
                
                25525 || OS-OTHER Nintendo User-Agent detected
                

                dead on arrival, nowhere to be found.

                J 2 Replies Last reply Nov 13, 2023, 10:23 PM Reply Quote 1
                • J
                  JonathanLee @mcury
                  last edited by Nov 13, 2023, 10:23 PM

                  @mcury No it is the same database, just the one that downloads does not mapp to updated text rules. We get the free database but no text rules with Snort. My text rules are inputted into custom in Snort and it maps to AppID's new database. Once it updates I have to remap it again.

                  Make sure to upvote

                  1 Reply Last reply Reply Quote 1
                  • J
                    JonathanLee @mcury
                    last edited by Nov 13, 2023, 10:24 PM

                    @mcury OS-Other that is cool!! So that text rule can detect the HACKADAY versions if one gets on a corporate lan??

                    WOW!!!

                    Make sure to upvote

                    M 1 Reply Last reply Nov 13, 2023, 10:29 PM Reply Quote 0
                    • M
                      mcury @JonathanLee
                      last edited by Nov 13, 2023, 10:29 PM

                      @JonathanLee I downloaded the community rules from Snort website, I'm checking files sig-msg.map and snort-community.rules

                      But I can't find the new appID rules to check, I would like to know what pattern they are checking for when detecting Nintendo or ChatGPT

                      dead on arrival, nowhere to be found.

                      J 1 Reply Last reply Nov 13, 2023, 10:30 PM Reply Quote 1
                      • J
                        JonathanLee @mcury
                        last edited by JonathanLee Nov 13, 2023, 10:32 PM Nov 13, 2023, 10:30 PM

                        @mcury /usr/local/etc/snort/appid/odp/appMapping.data is the appid database path on pfsense once it downloads. Could update at any time, again it seems to stay the same. Yes the pattern would be nice to know. sourcefirre stuff. I think I remember a website that lists them that Cisco has for users.

                        Make sure to upvote

                        M 1 Reply Last reply Nov 13, 2023, 10:36 PM Reply Quote 0
                        • M
                          mcury @JonathanLee
                          last edited by mcury Nov 13, 2023, 10:38 PM Nov 13, 2023, 10:36 PM

                          @JonathanLee I think I found..

                          You can download the rules from:
                          https://www.snort.org/downloads/openappid/33380

                          It seems that these detectors are based on .lua files.

                          If you open the client.Bittorrent.lua file, you will see how they do :

                          I think that this is the relevant part of the code:

                          function DetectorInit(detectorInstance)
                              gDetector = detectorInstance
                          	gDetector:addHttpPattern(2, 5, 0, 229, 1, 0, 0, 'BitTorrent', 61, 1);
                              gDetector:addHttpPattern(2, 5, 0, 229, 1, 0, 0, 'BTWebClient', 61, 1);
                              return gDetector
                          

                          Edit: The files are from 06/09/23, so from June of this year..

                          dead on arrival, nowhere to be found.

                          1 Reply Last reply Reply Quote 1
                          • J
                            JonathanLee
                            last edited by Nov 13, 2023, 11:00 PM

                            I couldn't believe the amount of Hackaday projects out there with use of a Nintendo Switch.

                            Make sure to upvote

                            M 1 Reply Last reply Nov 13, 2023, 11:24 PM Reply Quote 0
                            • M
                              mcury @JonathanLee
                              last edited by Nov 13, 2023, 11:24 PM

                              @JonathanLee said in Nintendo Switch and repeated cURL use:

                              I couldn't believe the amount of Hackaday projects out there with use of a Nintendo Switch.

                              It is a computer, you can run Linux in it.. :)

                              I have been trying to understand how the appID works, and what I found is not so good..

                              What I'm going to say below is something that I'm not sure about, take it with a grain of salt.

                              Most of the times it checks for a URL in the packet (header).
                              If the packet is encrypted, it can't do anything other than checking the header.

                              With SSL, it would be possible to check the SNI (Server Name Indication) header in the Hello packet, just like Squidguard in Spice all mode does, but the end of that is pretty near..

                              Even Firefox is prepared for that already: https://blog.mozilla.org/en/products/firefox/encrypted-hello/

                              dead on arrival, nowhere to be found.

                              J 1 Reply Last reply Nov 14, 2023, 2:48 AM Reply Quote 0
                              • J
                                JonathanLee @mcury
                                last edited by Nov 14, 2023, 2:48 AM

                                @mcury I know that AppID can detect everything when the rules are in place. I do not know the patterns but, they do not require description it seems.

                                Make sure to upvote

                                1 Reply Last reply Reply Quote 0
                                15 out of 15
                                • First post
                                  15/15
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received