<div dir="ltr">Thanks Chris! Checking out your presentation now. And, byte_math does seem more appropriate than byte_test. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 1, 2019 at 9:49 AM Chris Wakelin <<a href="mailto:cwakelin@emergingthreats.net">cwakelin@emergingthreats.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">You can do such checks in Lua of course (I described doing this for<br>
AZORult in my SuriCon talk (see<br>
<a href="https://suricon.net/highlights-from-suricon-2018/#presentations" rel="noreferrer" target="_blank">https://suricon.net/highlights-from-suricon-2018/#presentations</a> -<br>
<a href="https://suricon.net/wp-content/uploads/2019/01/SuriCon2018_Wakelin.pdf" rel="noreferrer" target="_blank">https://suricon.net/wp-content/uploads/2019/01/SuriCon2018_Wakelin.pdf</a>)<br>
<br>
Simple XOR cases might be covered if we implemented "byte_math" from<br>
Snort -<br>
<a href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004534000000000000000" rel="noreferrer" target="_blank">http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004534000000000000000</a><br>
<br>
I've not tried this though - being a loyal member of the Mob, I don't<br>
have a copy of Snort to hand :-)<br>
<br>
Best Wishes,<br>
Chris<br>
<br>
On 01/03/2019 14:40, Harley H wrote:<br>
> Hello,<br>
> I would have put this in Redmine but am not receiving my password reset<br>
> email.<br>
> <br>
> Would it be possible to add an xor operator to Suricata? I'm thinking it<br>
> could be part of a byte_test but of course defer to those who know better.<br>
> <br>
> I'm encountering multiple malware families using random multi-byte xor<br>
> schemes with their C2 protocol. Having an xor operator would allow the key<br>
> to be extracted from the packet then tested against other bytes looking for<br>
> known plaintext.<br>
> <br>
> I can put together some pcap and examples if that would be helpful.<br>
> <br>
> -Harley<br>
> <br>
> <br>
> _______________________________________________<br>
> Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/participate/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
> Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
> <br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
<br>
</blockquote></div>