Nintendo Switch and repeated cURL use

JonathanLee · Nov 13, 2023, 9:40 PM

Over Snorts AppID I am constantly seeing our Nintendo Switch using cUR. Is this pretty standard? Or is it possible to have a bug on a new Switch out of the box?

From appMapping.data
596 cURL 0 36 0 ~ curl

This is seen with my user created text rule over and over when AppID is running.

alert tcp any any -> any any (msg:"cURL"; appid:curl; sid:1000438; rev:1)

mcury · Nov 13, 2023, 9:49 PM

@JonathanLee I don't think there is a single rule in Snort/AppID that can help to protect a Nintendo Switch, or if that should be behind an IPS/IDS.

I just searched Snort website, and it seems that the last update to AppID was in 2017-09-05.
Info: https://www.snort.org/downloads/snort/changelog_2.9.20.txt

I didn't search a lot in Snort website, so I could be wrong about this.

JonathanLee · Nov 13, 2023, 10:07 PM

@mcury I use every AppID with custom text rules.

I can detect Nintendo use and many others.

https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes?_=1699913000461

you just have to map text rules to the AppId's appmapping.data file. My

textrules2.txt

My Nintendo keeps running cURL.

mcury · Nov 13, 2023, 10:13 PM

@JonathanLee said in Nintendo Switch and repeated cURL use:

@mcury I use every AppID with custom text rules.

I can detect Nintendo use and many others.

https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes?_=1699913000461

you just have to map text rules to the AppId's appmapping.data file. My

textrules2.txt

My Nintendo keeps running cURL.

Nice, good job
Thanks for sharing that link, there is a holiday coming and I'll probably be playing with it :)

edit: How can that file appMapping.data can have ChatGPT in it, if it is from 2017 ?
I'm probably wrong about the last update regarding AppID ?

JonathanLee · Nov 13, 2023, 10:17 PM

@mcury Thanks this is AppID's rule for Nintendo mapped to my custom text rule.

It works great.

JonathanLee · Nov 13, 2023, 10:21 PM

I am starting to wonder if it is possible for someone to introduce a Pen testing softwarwe version of a Switch into a Network, that would be really sneaky like. Hackaday lists dozens of Nintendo switch items.

mcury · Nov 13, 2023, 10:21 PM

@JonathanLee Really nice..

So Nintendo uses a different User-agent ?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-OTHER Nintendo User-Agent detected"; flow:established,to_server; http_header; content:"User-Agent|3A|"; content:"nintendo",distance 0,fast_pattern,nocase; pcre:"/^User-Agent\x3a[^\r\n]*nintendo/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25525; rev:3; )

25525 || OS-OTHER Nintendo User-Agent detected

JonathanLee · Nov 13, 2023, 10:23 PM

@mcury No it is the same database, just the one that downloads does not mapp to updated text rules. We get the free database but no text rules with Snort. My text rules are inputted into custom in Snort and it maps to AppID's new database. Once it updates I have to remap it again.

JonathanLee · Nov 13, 2023, 10:24 PM

@mcury OS-Other that is cool!! So that text rule can detect the HACKADAY versions if one gets on a corporate lan??

WOW!!!

mcury · Nov 13, 2023, 10:29 PM

@JonathanLee I downloaded the community rules from Snort website, I'm checking files sig-msg.map and snort-community.rules

But I can't find the new appID rules to check, I would like to know what pattern they are checking for when detecting Nintendo or ChatGPT

JonathanLee · Nov 13, 2023, 10:32 PM

@mcury /usr/local/etc/snort/appid/odp/appMapping.data is the appid database path on pfsense once it downloads. Could update at any time, again it seems to stay the same. Yes the pattern would be nice to know. sourcefirre stuff. I think I remember a website that lists them that Cisco has for users.

mcury · Nov 13, 2023, 10:38 PM

@JonathanLee I think I found..

You can download the rules from:
https://www.snort.org/downloads/openappid/33380

It seems that these detectors are based on .lua files.

If you open the client.Bittorrent.lua file, you will see how they do :

I think that this is the relevant part of the code:

function DetectorInit(detectorInstance)
    gDetector = detectorInstance
	gDetector:addHttpPattern(2, 5, 0, 229, 1, 0, 0, 'BitTorrent', 61, 1);
    gDetector:addHttpPattern(2, 5, 0, 229, 1, 0, 0, 'BTWebClient', 61, 1);
    return gDetector

Edit: The files are from 06/09/23, so from June of this year..

JonathanLee · Nov 13, 2023, 11:00 PM

I couldn't believe the amount of Hackaday projects out there with use of a Nintendo Switch.

mcury · Nov 14, 2023, 2:48 AM

@JonathanLee said in Nintendo Switch and repeated cURL use:

I couldn't believe the amount of Hackaday projects out there with use of a Nintendo Switch.

It is a computer, you can run Linux in it.. :)

I have been trying to understand how the appID works, and what I found is not so good..

What I'm going to say below is something that I'm not sure about, take it with a grain of salt.

Most of the times it checks for a URL in the packet (header).
If the packet is encrypted, it can't do anything other than checking the header.

With SSL, it would be possible to check the SNI (Server Name Indication) header in the Hello packet, just like Squidguard in Spice all mode does, but the end of that is pretty near..

Even Firefox is prepared for that already: https://blog.mozilla.org/en/products/firefox/encrypted-hello/

JonathanLee · Nov 14, 2023, 2:48 AM

@mcury I know that AppID can detect everything when the rules are in place. I do not know the patterns but, they do not require description it seems.