[Oisf-users] Luajit test rules

Chris Wakelin c.d.wakelin at reading.ac.uk
Sat Sep 29 10:43:45 UTC 2012

On 29/09/12 11:31, Victor Julien wrote:
> Nice work Chris,
> On 09/28/2012 10:18 PM, Chris Wakelin wrote:
>> Here's a couple of Luajit rules I've been trying:
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT test - match
>> XORed binary"; flowbits:isset,ET.http.javaclient.vulnerable;
>> flowbits:isnotset,ET.http.binary; luajit:xor-binary-detect4.lua;
>> sid:379000001; rev:4;)
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT zip test -
>> match Blackhole 2.x Jar"; flowbits:isset,ET.http.javaclient;
>> content:"|0D 0A 0D 0A|PK"; luajit:suri-bh2-jar.lua; sid:379000002; rev:1;)
> Have you tried "file_data; content:"PK"; depth:2; Then sig and script
> work on the same buffer.

That works! As it happens the "|0D 0A 0D 0A|PK" string doesn't work on
my pcap which has the HTTP response header (ending 0D0A0D0A) and body
(starting PK) in different packets. I copied it from the
emerging-info.rules 2014472/3 which also don't work :-/

Perhaps we need to check the Suricata rules for more issues like this,
where perhaps Snort does something differently.

> Too bad the lib doesn't support working on mem buffers. Adding file io
> to the mix is ehhh... sub optimal :)

It's not nice, but it shouldn't matter too much if it only executes
occasionally (should be only Java archives).

>> As it happens the Blackhole 2.x Jar files have had constant class file
>> names all week, so a normal signature could work. Still this is proof of
>> concept :)

An interesting question is whether we should add other Jar content tests
to the same Lua script for performance or have a rule for each exploit
kit. It's not easy to see how to get information about what matched back
to the user.

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-users mailing list