New transformation: dropbytes
I coded a new transformation, and want to know if there is interest to merge this into Suricata.
One of the problems this new transformation helps with: detecting obfuscated code.
Like this downloaded code: cm^d.exe /k power^shell.exe -Encodedcommand AAAAAAAAAAAAAAAAAAAA
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Dropbytes file.data cm^d.exe test"; flow:established,to_client; file.data; dropbytes:"^"; content:"cmd.exe"; sid:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Dropbytes file.data power^shell test"; flow:established,to_client; file.data; dropbytes:"^"; content:"powershell"; sid:2
Character ^ can be used to bypass detection of Windows commands, by adding this character at arbitrary places in the command.
Transformation dropbytes:"^"; removes this ^ character.
This transformation can also help with UNICODE detection, quick & dirty solution: remove al NUL bytes. dropbytes:"|00|";
Updated by Didier Stevens 9 months ago
- File dropbytes.rules dropbytes.rules added
- File powershell-filedata.pcap powershell-filedata.pcap added
- File powershell-headers.pcap powershell-headers.pcap added
I did create a PR:
Attached are my test files.