[Discussion] Binary Signature Detection

Josh Smith famousjs at gmail.com
Mon Jan 26 14:08:41 UTC 2009


Victor,

Some are simple, others have more than 5 content matches using within
and depth statements.  I also use a flowbit to detect only binary
files.  Also, they should match against a small part of a packet
because the signature of the packet is small compared to the size of
the binary file.  (At least I think it shouldn't have to match against
the entire packet haha).

You can look at the signatures here:

http://malforge.com/snort/output_all_uniq.zip

-Josh

On Mon, Jan 26, 2009 at 6:44 AM, Victor Julien <lists at inliniac.net> wrote:
> Hi Josh, thanks for bringing this up!
>
> Josh Smith wrote:
>> I have been working on converting the PEiD database of binary packer
>> signatures straight to snort signatures.  I've been refining my
>> signatures with other members from Emerging Threats, and have over
>> 10,000 snort signatures for packers.  I was told this may be a good
>> topic to bring up (binary packer detection) for OISF.
>
> 10k sigs is quite a lot :) Can you tell something about the nature of
> these sigs? Are they complex, or do they just use one content match for
> example?
>
> Should they be matches against full packets and streams or would we be
> able to match them against a small part of it?
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>



More information about the Discussion mailing list