[Oisf-devel] Feature Request - xor operator

Harley H bobb.harley at gmail.com
Fri Mar 1 14:55:31 UTC 2019 

Thanks Chris! Checking out your presentation now. And, byte_math does seem
more appropriate than byte_test.

On Fri, Mar 1, 2019 at 9:49 AM Chris Wakelin <cwakelin at emergingthreats.net>
wrote:

> You can do such checks in Lua of course (I described doing this for
> AZORult in my SuriCon talk (see
> https://suricon.net/highlights-from-suricon-2018/#presentations -
> https://suricon.net/wp-content/uploads/2019/01/SuriCon2018_Wakelin.pdf)
>
> Simple XOR cases might be covered if we implemented "byte_math" from
> Snort -
>
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004534000000000000000
>
> I've not tried this though - being a loyal member of the Mob, I don't
> have a copy of Snort to hand :-)
>
> Best Wishes,
> Chris
>
> On 01/03/2019 14:40, Harley H wrote:
> > Hello,
> >  I would have put this in Redmine but am not receiving my password reset
> > email.
> >
> > Would it be possible to add an xor operator to Suricata? I'm thinking it
> > could be part of a byte_test but of course defer to those who know
> better.
> >
> > I'm encountering multiple malware families using random multi-byte xor
> > schemes with their C2 protocol. Having an xor operator would allow the
> key
> > to be extracted from the packet then tested against other bytes looking
> for
> > known plaintext.
> >
> > I can put together some pcap and examples if that would be helpful.
> >
> > -Harley
> >
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
> >
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20190301/8d01ee8c/attachment.html>

More information about the Oisf-devel mailing list