Snort mailing list archives
Re: Quick Question: base64 snort options
From: Kevin Ross <kevross33 () googlemail com>
Date: Thu, 24 Feb 2011 13:12:42 +0000
Ah I see it does seem to work like that. I have inbound ones for testing for some test commands (download, flood, scan etc) and it FPd on this: Base64: YXIDZG93bmxvYWRzLnlhaG9vLmNvbQ-- Ascii: ardownloads.yahoo.com? Inbound stuff was a test but outbound stuff like previously mentioned sigs, would they work as I intend? If so some generic sigs for base64 encoded common values seen in malware communications as a host tells the server about itself. On 24 February 2011 12:36, Kevin Ross <kevross33 () googlemail com> wrote:
hey. I am wondering if I understand this right as I think this could be useful for these 2.9 snort options. If you specifcy a HTTP post and then base64 data followed by windows or service pack or some other phrase will snort then check the decoded base64 string whereever it may be for that string within the depth you specify such as: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible Base64 XP SP Operating System Type Post"; flow:established,to_server; content:"POST"; http_method; base64_decode; base64_data; content:"XP SP"; nocase; within:100; classtype:trojan-activity; sid:156006; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible Base64 OS Windows Post"; flow:established,to_server; content:"POST"; http_method; base64_decode; base64_data; content:"windows"; nocase; within:100; classtype:trojan-activity; sid:156008; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible Base64 Windows Service Pack Post"; flow:established,to_server; content:"POST"; http_method; base64_decode; base64_data; content:"service pack"; nocase; within:100; classtype:trojan-activity; sid:156009; rev:1;) Just I was thinking if this was the case and with a little work they could be a generic detection for some malware CNC communication. i.e this sort of thing https://www.honeynet.org/node/539 Am I on the right track or have I misunderstood how these rule options work? Thanks, Kev
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Quick Question: base64 snort options Kevin Ross (Feb 24)
- Re: Quick Question: base64 snort options Kevin Ross (Feb 24)