Project

General

Profile

Actions

Feature #5670

open

Support wide strings somehow

Added by Philippe Antoine over 1 year ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

When something is UTF-16 encoded, the interesting thing is often like S\x00E\x00L\x00E\x00C\x00T which is not conveniently expressed in Suricata


Related issues 1 (1 open0 closed)

Related to Suricata - Task #5488: Suricon 2022 brainstormAssignedVictor JulienActions
Actions #1

Updated by Philippe Antoine over 1 year ago

  • Related to Task #5488: Suricon 2022 brainstorm added
Actions #3

Updated by Philippe Antoine over 1 year ago

Maybe like nocase keyword ? Maybe like a transform ?

Actions #4

Updated by Victor Julien 4 months ago

  • Status changed from New to Feedback
  • Assignee changed from OISF Dev to Community Ticket

I think we need real world examples and use cases.

Actions #5

Updated by Brandon Murphy 4 months ago

SMB is a great example of this. consider the following rule

alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M2"; flow:established,to_server; content:"|05 00 00|"; content:"|5c 00|c|00|m|00|d|00 2e 00|e|00|x|00|e|00 20 00 2f 00|c|00 20 00|s|00|t|00|a|00|r|00|t|00 20|"; distance:0; fast_pattern; content:"r|00|e|00|g|00|s|00|v|00|r|00|3|00|2|00 2e 00|e|00|x|00|e|00 20 00 2f 00|s|00 20 00 2f 00|i|00 20 00|C|00 3a 00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|c|00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l"; within:7; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)

this is not very conveniently expressed in a rule, it's cumbersome to read and write.

Additionally, this leads to confusion by users as observed here: https://forum.suricata.io/t/smb-rule-but-exclusion-needed/4147

having a "wide" keyword would make it more readable, and could perhaps been combined with other keywords like "ascii" to target non "wide" versions of the same string.

this combination (ascii and wide) is used a lot within yara when there is either a desire to match both version or there is a lack of information supporting one version over the other.

Actions #6

Updated by Philippe Antoine 4 months ago

IIRC, By the way, this kind of rule is easy to evade as SMB has a flag to use ascii or wide string...

So a wide keyword would look for both patterns (ascii and wided), is that what you expect ?

Actions #7

Updated by Philippe Antoine 4 months ago

It could be a transform, but that would not work on raw TCP stream I guess...

Actions

Also available in: Atom PDF