[Oisf-devel] Feature Request - xor operator
Chris Wakelin
cwakelin at emergingthreats.net
Fri Mar 1 14:48:41 UTC 2019
You can do such checks in Lua of course (I described doing this for
AZORult in my SuriCon talk (see
https://suricon.net/highlights-from-suricon-2018/#presentations -
https://suricon.net/wp-content/uploads/2019/01/SuriCon2018_Wakelin.pdf)
Simple XOR cases might be covered if we implemented "byte_math" from
Snort -
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004534000000000000000
I've not tried this though - being a loyal member of the Mob, I don't
have a copy of Snort to hand :-)
Best Wishes,
Chris
On 01/03/2019 14:40, Harley H wrote:
> Hello,
> I would have put this in Redmine but am not receiving my password reset
> email.
>
> Would it be possible to add an xor operator to Suricata? I'm thinking it
> could be part of a byte_test but of course defer to those who know better.
>
> I'm encountering multiple malware families using random multi-byte xor
> schemes with their C2 protocol. Having an xor operator would allow the key
> to be extracted from the packet then tested against other bytes looking for
> known plaintext.
>
> I can put together some pcap and examples if that would be helpful.
>
> -Harley
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
More information about the Oisf-devel
mailing list