https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022019-10-29T13:10:12ZOpen Information Security FoundationSuricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=143682019-10-29T13:10:12ZBrandon Murphy
<ul></ul><p>Having given a bit more thought, this solution would only work where XOR keys are known. This limitation moves the usefulness of this request to address Masked Paylaods of WebSockets as the XOR Key is supposed to be randomly per each WebSocket frame.</p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=143842019-11-01T09:30:53ZJason Ishjason.ish@oisf.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-7 priority-5 priority-high3" href="/issues/2695">Feature #2695</a>: websocket support</i> added</li></ul> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=145322019-11-05T12:01:16ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>Assignee</strong> set to <i>Community Ticket</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul><p>I suppose it would be useful to use the result of byte_extract as input to the key.</p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=149742019-12-12T14:55:17ZBrandon Murphy
<ul><li><strong>File</strong> <a href="/attachments/1895">8d44f3fd-110c-423f-82be-c09a1a52af08.pcap</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1895/8d44f3fd-110c-423f-82be-c09a1a52af08.pcap">8d44f3fd-110c-423f-82be-c09a1a52af08.pcap</a> added</li></ul><p>Adding a real world example of how this will be helpful.</p>
<p>AZORult 3.2 uses a static XOR key to encode network communications. PCAP is attached and taken from <a href="https://app.any.run/tasks/8d44f3fd-110c-423f-82be-c09a1a52af08/" class="external">Any.Run</a></p>
<p>See Packet 74 for the initial checkin via POST. This traffic can be decoded as described in this <a href="https://gchq.github.io/CyberChef/#recipe=From_Hexdump()XOR(%7B'option':'Hex','string':'0d0ac8'%7D,'Standard',false)URL_Decode()&input=MDAwMDAwQTAgIDRhIDJmIGZiIDNjIDJmIGZiIDNmICAgY2FjaGUuLi4gLkovLjwvLj8KMDAwMDAwQjAgIDJmIGZiIDNiIDRlIGVkIDNlIDMyIGVkICAzZSAzYSBlZCAzZSAzOCBlZCAzZiA0ZSAgIC8uO04uPjIuID46Lj44Lj9OCjAwMDAwMEMwICBlZCAzZSAzYiBlZCAzZSAzOSBlZCAzZSAgM2UgZWQgM2UgMzkgODkgMjggMzkgZmEgICAuPjsuPjkuPiA%2BLj45Lig5LgowMDAwMDBEMCAgNDggNDkgZWQgM2YgNGUgZWQgM2UgM2MgIGVkIDNlIDNiIGVkIDNlIDNjIDhjIDI4ICAgSEkuP04uPjwgLj47Lj48LigKMDAwMDAwRTAgIDM5IGY4IDRiIDQ5IDhlIDI4IDM4IDhjICAyOCAzOSBmYSA0YiAyZiBmYiAzYSA0YiAgIDkuS0kuKDguICg5LksvLjpLCjAwMDAwMEYwICBlZCAzZSAzZiBlZCAzZSAzYiBlZCAzZSAgMzMgZWQgM2UgMzMgZWQgM2YgNGUgZWQgICAuPj8uPjsuPiAzLj4zLj9OLgowMDAwMDEwMCAgM2UgMzggZWQgM2UgMzMgZWQgM2UgM2UgIGVkIDNlIDMyIGVkIDNlIDM4IGVkIDNlICAgPjguPjMuPj4gLj4yLj44Lj4KMDAwMDAxMTAgIDNjIDhjIDI4IDM5IGZkIDRiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwuKDkuSw" class="external">CyberChef Recipe</a></p>
<p>The Initial Checkin of AZORult uses a unique ID generated from system details as documented by <a href="https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html" class="external">Cylance</a></p>
<p>Today, as the values change depending on each infected system, detecting the initial checkin is difficult and very prone to false negative, or is based on "circumstantial" detection, or based on post initial checkin activity.</p>
<p>The requested feature would allow for direct detection of this type of CnC communicators.</p>
<p>Using the attached pcap as an example. Here is a rule utilizing the proposed keyword.</p>
<pre><code class="shell syntaxhl" data-language="shell">alert http <span class="nv">$HOME_NET</span> any -> <span class="nv">$EXTERNAL_NET</span> any <span class="o">(</span>http.method<span class="p">;</span> content:<span class="s2">"POST"</span><span class="p">;</span> http.uri<span class="p">;</span> content:<span class="s2">".php"</span><span class="p">;</span> endswith<span class="p">;</span> http.request_body<span class="p">;</span> content:<span class="s2">"|4a 2f 2b|"</span><span class="p">;</span> fast_pattern<span class="p">;</span> depth:3<span class="p">;</span> xor: key 0d0ac8, bytes 133, offset 0<span class="p">;</span> xor_data<span class="p">;</span> pcre:<span class="s2">"/^G(?:[A-F]|%3[0-9]){7}%2D(?:[A-F]|%3[0-9]){8}%2D(?:[A-F]|%3[0-9]){8}%2D(?:[A-F]|%3[0-9]){8}%2D(?:[A-F]|%3[0-9]){9}</span><span class="nv">$/</span><span class="s2">"</span><span class="p">;</span> sid:1<span class="p">;</span> rev:1<span class="p">;</span> classtype:command-and-control<span class="p">;</span><span class="o">)</span>
</code></pre>
<p>notice the xor keyword is applied to the http.request_body buffer and xor_data is a sticky buffer.</p>
<p>also, while 133 bytes is longer than the buffer, 133 bytes is the longest possible encoded/xor'ed unique ID.</p>
<p>Note - this rule will cover any of the unique IDs that are G[0-9] when fully decoded. Additional rule(s) would be required to match G[A-F] while maintaining a maybe okish fast pattern;</p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=149752019-12-12T14:57:30ZBrandon Murphy
<ul></ul><p>Victor Julien wrote:</p>
<blockquote>
<p>I suppose it would be useful to use the result of byte_extract as input to the key.</p>
</blockquote>
<p>Yes, that would be very useful. It would address the WebSockets use case and, i've seen more than one sample where malware configs/c2 comms/stage 2 binaries, etc are XOR'ed but the key is at a specific offset in the stream.</p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=165652020-06-03T17:35:16ZSimon Dugas
<ul></ul><p>Here is a first attempt to implement this feature:<br />- <a class="external" href="https://github.com/OISF/suricata/pull/5015">https://github.com/OISF/suricata/pull/5015</a><br />- <a class="external" href="https://github.com/OISF/suricata-verify/pull/243">https://github.com/OISF/suricata-verify/pull/243</a></p>
<p>The only difference with the syntax discussed in this issue is the xor key is surrounded in double-quotes when specifying a hex string. This allows us to distinguish it from a byte_extract variable.</p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=165932020-06-08T13:16:04ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Review</i></li><li><strong>Assignee</strong> changed from <i>Community Ticket</i> to <i>Simon Dugas</i></li></ul> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=183912020-11-14T14:25:51ZJeff Lucovsky
<ul><li><strong>Related to</strong> <i><a class="issue tracker-5 status-2 priority-4 priority-default child" href="/issues/4097">Task #4097</a>: Suricon 2020 brainstorm</i> added</li></ul> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=184822020-11-19T17:36:16ZVictor Julienvictor@inliniac.net
<ul></ul><p>The idea at the 2020 brainstorm call was:</p>
<p>extend byte_extract to allow arbitrary length extract for the key<br />xor transform keyword that can either take the variable name from byte extract or a static key as input</p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=185782020-11-24T09:47:54ZVictor Julienvictor@inliniac.net
<ul><li><strong>Subject</strong> changed from <i>XOR keyword</i> to <i>rules: XOR keyword</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>7.0.0-beta1</i></li></ul> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=205002021-08-30T15:45:15ZVictor Julienvictor@inliniac.net
<ul></ul><p>Hi Simon, have you looked into doing this as a transform?</p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=206562021-09-15T07:23:13ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>In Review</i> to <i>In Progress</i></li></ul> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=210282021-10-21T21:53:21ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-5 status-2 priority-4 priority-default child" href="/issues/4762">Task #4762</a>: Suricon 2021 brainstorm</i> added</li></ul> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=210432021-10-22T17:52:27ZPhilippe Antoine
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>In Review</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/6513">https://github.com/OISF/suricata/pull/6513</a></p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=210812021-10-27T12:20:56ZSimon Dugas
<ul></ul><p>Last time I was looking into transforms they didn't seem to support a "sticky buffer" on the entire TCP payload or holding on to variables such as keys. That was a while ago and I think the transforms API may have improved since then, I'll have a look at catenacyber's PR. I have plenty of test cases and suricata-verify tests that could be useful.</p>
<p>My apologies for the late response.</p> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=214302021-11-24T15:43:14ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> changed from <i>Simon Dugas</i> to <i>Philippe Antoine</i></li></ul> Suricata - Feature #3285: rules: XOR keywordhttps://redmine.openinfosecfoundation.org/issues/3285?journal_id=219942022-01-19T12:43:04ZPhilippe Antoine
<ul><li><strong>Status</strong> changed from <i>In Review</i> to <i>Closed</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/6579">https://github.com/OISF/suricata/pull/6579</a></p>