Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Quick Question: base64 snort options

From: Kevin Ross <kevross33 () googlemail com>
Date: Thu, 24 Feb 2011 13:12:42 +0000
Ah I see it does seem to work like that. I have inbound ones for testing for
some test commands (download, flood, scan etc) and it FPd on this:

Base64: YXIDZG93bmxvYWRzLnlhaG9vLmNvbQ--
Ascii: ardownloads.yahoo.com?

Inbound stuff was a test but outbound stuff like previously mentioned sigs,
would they work as I intend? If so some generic sigs for base64 encoded
common values seen in malware communications as a host tells the server
about itself.


On 24 February 2011 12:36, Kevin Ross <kevross33 () googlemail com> wrote:


hey. I am wondering if I understand this right as I think this could be
useful for these 2.9 snort options. If you specifcy a HTTP post and then
base64 data followed by windows or service pack or some other phrase will
snort then check the decoded base64 string whereever it may be for that
string within the depth you specify such as:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
Base64 XP SP Operating System Type Post"; flow:established,to_server;
content:"POST"; http_method; base64_decode; base64_data; content:"XP SP";
nocase; within:100; classtype:trojan-activity; sid:156006; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
Base64 OS Windows Post"; flow:established,to_server; content:"POST";
http_method; base64_decode; base64_data; content:"windows"; nocase;
within:100; classtype:trojan-activity; sid:156008; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
Base64 Windows Service Pack Post"; flow:established,to_server;
content:"POST"; http_method; base64_decode; base64_data; content:"service
pack"; nocase; within:100; classtype:trojan-activity; sid:156009; rev:1;)

Just I was thinking if this was the case and with a little work they could
be a generic detection for some malware CNC communication. i.e this sort of
thing https://www.honeynet.org/node/539

Am I on the right track or have I misunderstood how these rule options
work? Thanks, Kev




------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: