Feature #5670
openSupport wide strings somehow
Description
When something is UTF-16 encoded, the interesting thing is often like S\x00E\x00L\x00E\x00C\x00T which is not conveniently expressed in Suricata
Updated by Philippe Antoine over 1 year ago
- Related to Task #5488: Suricon 2022 brainstorm added
Updated by Sascha Steinbiss over 1 year ago
Updated by Philippe Antoine over 1 year ago
Maybe like nocase keyword ? Maybe like a transform ?
Updated by Victor Julien 6 months ago
- Status changed from New to Feedback
- Assignee changed from OISF Dev to Community Ticket
I think we need real world examples and use cases.
Updated by Brandon Murphy 6 months ago
SMB is a great example of this. consider the following rule
alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M2"; flow:established,to_server; content:"|05 00 00|"; content:"|5c 00|c|00|m|00|d|00 2e 00|e|00|x|00|e|00 20 00 2f 00|c|00 20 00|s|00|t|00|a|00|r|00|t|00 20|"; distance:0; fast_pattern; content:"r|00|e|00|g|00|s|00|v|00|r|00|3|00|2|00 2e 00|e|00|x|00|e|00 20 00 2f 00|s|00 20 00 2f 00|i|00 20 00|C|00 3a 00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|c|00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l"; within:7; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
this is not very conveniently expressed in a rule, it's cumbersome to read and write.
Additionally, this leads to confusion by users as observed here: https://forum.suricata.io/t/smb-rule-but-exclusion-needed/4147
having a "wide" keyword would make it more readable, and could perhaps been combined with other keywords like "ascii" to target non "wide" versions of the same string.
this combination (ascii and wide) is used a lot within yara when there is either a desire to match both version or there is a lack of information supporting one version over the other.
Updated by Philippe Antoine 6 months ago
IIRC, By the way, this kind of rule is easy to evade as SMB has a flag to use ascii or wide string...
So a wide keyword would look for both patterns (ascii and wided), is that what you expect ?
Updated by Philippe Antoine 6 months ago
It could be a transform, but that would not work on raw TCP stream I guess...