General

Profile

Brandon Murphy

  • Login: zoomequipd
  • Registered on: 09/17/2019
  • Last connection: 06/02/2021

Issues

open closed Total
Assigned issues 0 0 0
Reported issues 5 2 7

Activity

06/02/2021

10:04 PM Suricata Feature #4227: breakout components of tls.cert_subject and tls.cert_issuer into additional "sub" buffers
Another use case for the "sub" buffers is for negations on specific components of the certificate. Such as negating ... Brandon Murphy

05/10/2021

06:35 PM Suricata Bug #2224: Negated http_* match returns false if buffer not populated
Just as an FYI - this issue/design/whatever continues to cause False Negatives on a pretty regular basis. If there i... Brandon Murphy

12/18/2020

06:02 AM Suricata Feature #4227 (New): breakout components of tls.cert_subject and tls.cert_issuer into additional "sub" buffers
h1. Problem
Writing signatures that use tls.cert_subject and tls.cert_issuer to match on content within the Common... Brandon Murphy
04:56 AM Suricata Bug #4226 (New): bsize is considerably slower than depth:x; isdataat:!1,relative
When reviewing rule profiling output of comparing the speed of bsize:x; checks to using depth:x; isdataat:!1,relative... Brandon Murphy
03:53 AM Suricata Bug #4225 (Closed): SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode
Upon the first pcap being submitted in socket mode, an error is logged... Brandon Murphy

02/25/2020

05:57 PM Suricata Bug #3504 (Closed): http.header.raw prematurely truncates in some conditions
In attempting to create a signature for the attached pcap, I found an unexpected behavior in suricata 5.0.0+ as it re... Brandon Murphy

12/12/2019

02:57 PM Suricata Feature #3285: rules: XOR keyword
Victor Julien wrote:
> I suppose it would be useful to use the result of byte_extract as input to the key.
Yes, t... Brandon Murphy
02:55 PM Suricata Feature #3285: rules: XOR keyword
Adding a real world example of how this will be helpful.
AZORult 3.2 uses a static XOR key to encode network comm... Brandon Murphy

10/29/2019

01:10 PM Suricata Feature #3285: rules: XOR keyword
Having given a bit more thought, this solution would only work where XOR keys are known. This limitation moves the u... Brandon Murphy
10:42 AM Suricata Feature #3285 (In Review): rules: XOR keyword
Due to masked WebSocket usage with Masked payloads and XOR in general used by malware for network "encryption", I'm w... Brandon Murphy

Also available in: Atom