Project

General

Profile

Actions

Feature #3285

closed

rules: XOR keyword

Added by Brandon Murphy over 4 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Due to masked WebSocket usage with Masked payloads and XOR in general used by malware for network "encryption", I'm wondering if it would be possible to add support for XOR similar to the existing base64_decode/base64_data keywords.

The only existing method I am aware of for achieving this outcome using existing features is a Lua script/rule. However this depends heavily on user configuration to be useful. Providing an XOR keyword has the benefit of not requiring Lua support and provides a general purpose function that could be used with Masked Payloads within WebSockets and any other network communications using XOR.

WebSocket support has been requested here - https://redmine.openinfosecfoundation.org/issues/2695, but does not directly address the use of Masked Payloads.

An example of keyword usage might be

xor:key <xor key in hex>, bytes <value>, offset <value>, relative;
xor_data;

Thanks


Files


Related issues 3 (3 open0 closed)

Related to Suricata - Feature #2695: websocket supportIn ReviewPhilippe AntoineActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Task #4762: Suricon 2021 brainstormAssignedVictor JulienActions
Actions

Also available in: Atom PDF