Project

General

Profile

Actions

Feature #5776

open

PCRE fast_patterns via hyperscan

Added by Brandon Murphy over 1 year ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

This feature request is largely inspired by a new keyword introduced within Snort 3.0 The documentation is available here: https://docs.snort.org/rules/options/payload/regex

While I won't pretend to understand how this works "under the hood", I am interested in the ability to use PCREs as fast_patterns.

As an example of at least one case where I think this would help is, rules for which we have to create multiple versions of to insure a solid fast_pattern, that could otherwise be handled via a PCRE.

Consider the following open rules.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Belcuesth_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038691; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Kzzlcne_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038692; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newminer2_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038693; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M4"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Nykymad_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038694; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M5"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/my_ori_Ywenb_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038695; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)

This could be combined into a single rule, ideally with PCRE fast_pattern taking the static contents into consideration

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M5"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:my_ori_Ywenb|Nykymad|newminer2|Kzzlcne|Belcuesth)_(?:bmp|png|jpe?g)$/"; fast_pattern; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038695; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)

Here I've assigned the fast_pattern to the PCRE via the fast_pattern keyword, perhaps a PCRE modifier would be required for that, I'm not sure.

Actions

Also available in: Atom PDF