Suricata

We have seen several cases in which a packet is XOR'd with a single byte and this byte can be found at X offset. Currently, the only solution for detection (aside from Lua) is to write a signature for that XOR key which is incredibly static.

We are asking for byte_extract & xor support so that we can specify the location of the XOR key, extract it and store it in a named variable, and then use that extracted byte with the XOR transformation.

ex.

http.request_body; byte_extract:1,0,xor_key; xor:xor_key; content:"infected";

I suspect this becomes more difficult because we would now need to tell the XOR transformation that we are only interested in part of the buffer instead of the whole buffer. Maybe we'd also need the ability to tell the XOR transformation where to begin processing data with an offset value?

http.request_body; byte_extract:1,0,xor_key; xor:offset 1,xor_key; content:"infected";