[Oisf-devel] Feature Request - xor operator

Harley H bobb.harley at gmail.com
Fri Mar 1 14:40:34 UTC 2019

 I would have put this in Redmine but am not receiving my password reset

Would it be possible to add an xor operator to Suricata? I'm thinking it
could be part of a byte_test but of course defer to those who know better.

I'm encountering multiple malware families using random multi-byte xor
schemes with their C2 protocol. Having an xor operator would allow the key
to be extracted from the packet then tested against other bytes looking for
known plaintext.

I can put together some pcap and examples if that would be helpful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20190301/8f749241/attachment.html>

More information about the Oisf-devel mailing list