Project

General

Profile

Actions

Feature #5798

open

New transformation: dropbytes

Added by Didier Stevens about 1 year ago. Updated about 1 year ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

I coded a new transformation, and want to know if there is interest to merge this into Suricata.

One of the problems this new transformation helps with: detecting obfuscated code.

Like this downloaded code: cm^d.exe /k power^shell.exe -Encodedcommand AAAAAAAAAAAAAAAAAAAA

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Dropbytes file.data cm^d.exe test"; flow:established,to_client; file.data; dropbytes:"^"; content:"cmd.exe"; sid:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Dropbytes file.data power^shell test"; flow:established,to_client; file.data; dropbytes:"^"; content:"powershell"; sid:2
;)

Character ^ can be used to bypass detection of Windows commands, by adding this character at arbitrary places in the command.
Transformation dropbytes:"^"; removes this ^ character.

This transformation can also help with UNICODE detection, quick & dirty solution: remove al NUL bytes. dropbytes:"|00|";


Files

dropbytes.rules (2.8 KB) dropbytes.rules Didier Stevens, 01/16/2023 10:31 PM
powershell-filedata.pcap (1.15 KB) powershell-filedata.pcap Didier Stevens, 01/16/2023 10:31 PM
powershell-headers.pcap (8.57 KB) powershell-headers.pcap Didier Stevens, 01/16/2023 10:31 PM
Actions #1

Updated by Peter Manev about 1 year ago

Yes there is. This can improve detection techniques.
Is it possible to create an MR ? Would love to test it.

Actions #3

Updated by Philippe Antoine about 1 year ago

  • Status changed from New to In Review
Actions

Also available in: Atom PDF