Feature #5670
open
Support wide strings somehow
Added by Philippe Antoine about 2 years ago.
Updated about 1 year ago.
Description
When something is UTF-16 encoded, the interesting thing is often like S\x00E\x00L\x00E\x00C\x00T
which is not conveniently expressed in Suricata
Related issues
1 (1 open — 0 closed)
- Related to Task #5488: Suricon 2022 brainstorm added
Maybe like nocase
keyword ? Maybe like a transform ?
- Status changed from New to Feedback
- Assignee changed from OISF Dev to Community Ticket
I think we need real world examples and use cases.
SMB is a great example of this. consider the following rule
alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M2"; flow:established,to_server; content:"|05 00 00|"; content:"|5c 00|c|00|m|00|d|00 2e 00|e|00|x|00|e|00 20 00 2f 00|c|00 20 00|s|00|t|00|a|00|r|00|t|00 20|"; distance:0; fast_pattern; content:"r|00|e|00|g|00|s|00|v|00|r|00|3|00|2|00 2e 00|e|00|x|00|e|00 20 00 2f 00|s|00 20 00 2f 00|i|00 20 00|C|00 3a 00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|c|00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l"; within:7; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
this is not very conveniently expressed in a rule, it's cumbersome to read and write.
Additionally, this leads to confusion by users as observed here: https://forum.suricata.io/t/smb-rule-but-exclusion-needed/4147
having a "wide" keyword would make it more readable, and could perhaps been combined with other keywords like "ascii" to target non "wide" versions of the same string.
this combination (ascii and wide) is used a lot within yara when there is either a desire to match both version or there is a lack of information supporting one version over the other.
IIRC, By the way, this kind of rule is easy to evade as SMB has a flag to use ascii or wide string...
So a wide
keyword would look for both patterns (ascii and wided), is that what you expect ?
It could be a transform, but that would not work on raw TCP stream I guess...
Also available in: Atom
PDF