[Oisf-users] Luajit test rules
Chris Wakelin
c.d.wakelin at reading.ac.uk
Sat Sep 29 10:43:45 UTC 2012
On 29/09/12 11:31, Victor Julien wrote:
> Nice work Chris,
>
> On 09/28/2012 10:18 PM, Chris Wakelin wrote:
>> Here's a couple of Luajit rules I've been trying:
>>
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT test - match
>> XORed binary"; flowbits:isset,ET.http.javaclient.vulnerable;
>> flowbits:isnotset,ET.http.binary; luajit:xor-binary-detect4.lua;
>> sid:379000001; rev:4;)
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT zip test -
>> match Blackhole 2.x Jar"; flowbits:isset,ET.http.javaclient;
>> content:"|0D 0A 0D 0A|PK"; luajit:suri-bh2-jar.lua; sid:379000002; rev:1;)
>
> Have you tried "file_data; content:"PK"; depth:2; Then sig and script
> work on the same buffer.
That works! As it happens the "|0D 0A 0D 0A|PK" string doesn't work on
my pcap which has the HTTP response header (ending 0D0A0D0A) and body
(starting PK) in different packets. I copied it from the
emerging-info.rules 2014472/3 which also don't work :-/
Perhaps we need to check the Suricata rules for more issues like this,
where perhaps Snort does something differently.
> Too bad the lib doesn't support working on mem buffers. Adding file io
> to the mix is ehhh... sub optimal :)
It's not nice, but it shouldn't matter too much if it only executes
occasionally (should be only Java archives).
>
>> As it happens the Blackhole 2.x Jar files have had constant class file
>> names all week, so a normal signature could work. Still this is proof of
>> concept :)
An interesting question is whether we should add other Jar content tests
to the same Lua script for performance or have a rule for each exploit
kit. It's not easy to see how to get information about what matched back
to the user.
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-users
mailing list