Feature #5670: Support wide strings somehow - Suricata - Open Information Security Foundation


alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M2"; flow:established,to_server; content:"|05 00 00|"; content:"|5c 00|c|00|m|00|d|00 2e 00|e|00|x|00|e|00 20 00 2f 00|c|00 20 00|s|00|t|00|a|00|r|00|t|00 20|"; distance:0; fast_pattern; content:"r|00|e|00|g|00|s|00|v|00|r|00|3|00|2|00 2e 00|e|00|x|00|e|00 20 00 2f 00|s|00 20 00 2f 00|i|00 20 00|C|00 3a 00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|c|00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l"; within:7; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)

this is not very conveniently expressed in a rule, it's cumbersome to read and write.

Additionally, this leads to confusion by users as observed here: https://forum.suricata.io/t/smb-rule-but-exclusion-needed/4147

having a "wide" keyword would make it more readable, and could perhaps been combined with other keywords like "ascii" to target non "wide" versions of the same string.

this combination (ascii and wide) is used a lot within yara when there is either a desire to match both version or there is a lack of information supporting one version over the other.

Actions

Copy link