Feature #7847
openrules: extend byte_extract named variables for use in other keywords/transformations such as xor
Description
We have seen several cases in which a packet is XOR'd with a single byte and this byte can be found at X offset. Currently, the only solution for detection (aside from Lua) is to write a signature for that XOR key which is incredibly static.
We are asking for byte_extract & xor support so that we can specify the location of the XOR key, extract it and store it in a named variable, and then use that extracted byte with the XOR transformation.
ex.
http.request_body; byte_extract:1,0,xor_key; xor:xor_key; content:"infected";
I suspect this becomes more difficult because we would now need to tell the XOR transformation that we are only interested in part of the buffer instead of the whole buffer. Maybe we'd also need the ability to tell the XOR transformation where to begin processing data with an offset value?
http.request_body; byte_extract:1,0,xor_key; xor:offset 1,xor_key; content:"infected";
Updated by Victor Julien 8 days ago
- Subject changed from extend byte_extract named variables for use in other keywords/transformations such as xor to rules: extend byte_extract named variables for use in other keywords/transformations such as xor
Can you share a case like this, ideally with the a lua script to do the same if you have that?
Updated by Victor Julien 8 days ago
- Related to Feature #6831: rules: support extraction of bytes of non-numeric values added
Updated by Victor Julien 8 days ago
- Related to Feature #7321: rules: cross buffer byte_* keyword support added