[Oisf-devel] Feature Request - xor operator

Chris Wakelin cwakelin at emergingthreats.net
Fri Mar 1 14:48:41 UTC 2019

You can do such checks in Lua of course (I described doing this for
AZORult in my SuriCon talk (see
https://suricon.net/highlights-from-suricon-2018/#presentations -

Simple XOR cases might be covered if we implemented "byte_math" from
Snort -

I've not tried this though - being a loyal member of the Mob, I don't
have a copy of Snort to hand :-)

Best Wishes,

On 01/03/2019 14:40, Harley H wrote:
> Hello,
>  I would have put this in Redmine but am not receiving my password reset
> email.
> Would it be possible to add an xor operator to Suricata? I'm thinking it
> could be part of a byte_test but of course defer to those who know better.
> I'm encountering multiple malware families using random multi-byte xor
> schemes with their C2 protocol. Having an xor operator would allow the key
> to be extracted from the packet then tested against other bytes looking for
> known plaintext.
> I can put together some pcap and examples if that would be helpful.
> -Harley
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/

More information about the Oisf-devel mailing list