Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Feature Request - xor operator

From: Joshua Kinard via Snort-devel <snort-devel () lists snort org>
Date: Mon, 4 Mar 2019 04:43:23 -0500
On 3/1/2019 09:48, Harley H via Snort-devel wrote:

Hello,
Would it be possible to add an xor operator to Snort? I'm thinking it
could be part of a byte_test but of course defer to those who know better.

I'm encountering multiple malware families using random multi-byte xor
schemes with their C2 protocol. Having an xor operator would allow the key
to be extracted from the packet then tested against other bytes looking for
known plaintext.

I can put together some pcap and examples if that would be helpful.


-Harley



I have a patch, somewhere, that I wrote a few years back that added two new
keywords, "xor_decode" and "xor_data".  It was modeled after the
base64_decode/data keywords, and they enable xor decoding with keys up to
unsigned 64bit ints.  One can use a static key supplied w/ xor_decode, or a
dynamic key of a specific length@offset, searching forwards or backwards in
the packet.

Can't do anything for keys beyond eight bytes because I was trying to take
advantage of native CPU register sizes and chomping the packet at four- or
eight-byte intervals.  So the code is really specific to this approach,
versus being smarter and handling arbitrary-sized keys.  That's an area that
could be improved upon.

The patch was last synced against snort-2.9.7.0-alpha, so it's quite a bit
out of date.  Might be possible to sync it up to newer Snort-2.9.x releases,
but I won't have time to test that out for a few weeks.  If anyone wants to
mess with the 2.9.7.0-alpha copy, let me know and I'll look for where I
stashed it and post to the mailing list.

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: