Snort mailing list archives
PoC for Tracking Canada Bank Swift Codes
From: Bill Parker <wp02855 () gmail com>
Date: Wed, 20 May 2015 10:25:16 -0700
Hello All, This stuff might be useful in Snort 2.9.7.x or Snort 3.x, as it has been filed as an enhancement request for ClamAV Bugzilla: https://bugzilla.clamav.net/show_bug.cgi?id=11322 Here is a updated version of the Canadian SWIFT bank code tracking program (which I am attaching to the existing bug report). Here is a sample of the output produced from a test run: C:\Temp>swift BOFACAttVaN main-c.txt > foobar C:\Temp>swift tdsecat1 main-c.txt >> foobar C:\Temp>swift BOfaCAtt main-c.txt >> foobar C:\Temp>swift ccdqcamm main-c.txt >> foobar C:\Temp>swift clamav98 main-c.txt >> foobar C:\Temp>type foobar String before conversion is: BOFACAttVaN String after conversion is: BOFACATTVAN Found Solution: LAST THREE DIGITS A VALID BANK CODE */ // FOOBARBOFACATTVAN INT IS_BANK_CODE_VALID(INT BANK_CODE) { Match Found... Institution[17] is: BANK OF AMERICA, NATIONAL ASSOCIATION, CANADA BRANCH City[17] is: VANCOUVER Swift Code[17] is: BOFACATTVAN String before conversion is: tdsecat1 String after conversion is: TDSECAT1 Found Solution: (INT BANK_CODE) { INT BANK_CODE_VALID = 0; // TDSECAT1 SWITCH (BANK_CODE) { CASE 1: Match Found... Institution[495] is: TORONTO DOMINION SECURITIES INC City[495] is: TORONTO Swift Code[495] is: TDSECAT1 String before conversion is: BOfaCAtt String after conversion is: BOFACATT Found Solution: LAST THREE DIGITS A VALID BANK CODE */ // FOOBARBOFACATTVAN INT IS_BANK_CODE_VALID(INT BANK_CODE) { Match Found... Institution[16] is: BANK OF AMERICA, NATIONAL ASSOCIATION, CANADA BRANCH City[16] is: TORONTO Swift Code[16] is: BOFACATT String before conversion is: ccdqcamm String after conversion is: CCDQCAMM Error! String: CCDQCAMM not found in first 10000 characters of file: main-c.txt String before conversion is: clamav98 String after conversion is: CLAMAV98 Error! String: CLAMAV98 not found in first 10000 characters of file: main-c.txt Here is the source code for file 'swift-main.c' #include <stdio.h> #include <ctype.h> #include <stdlib.h> #include <string.h> #include <limits.h> #include "c:\\temp\\swift-main.h" /* Function to convert a string to upper case */ /* Exists in most PC C libraries but is missing from many */ /* Unix/Linux C Libraries */ void string_to_upper(char *str) { char *s = str; while ( *s ) { *s = toupper((unsigned char)*s); s = s + 1; } /* end while *s */ return ( str ); } /* end function string_to_upper */ /* Function to convert a string to lower case */ /* Exists in most PC C libraries but is missing from many */ /* Unix/Linux C Libraries */ void string_to_lower(char *str) { char *s = str; while ( *s ) { *s = tolower((unsigned char)*s); s = s + 1; } /* end while *s */ } /* end function string_to_lower */ /* Function to reverse a string */ void string_reverse(char *str) { int i; int len = strlen(str) - 1; int mid = (len % 2) ? (len / 2) : ((len + 1) / 2); for(i = 0; i <= mid; ++i) { char buf = str[i]; str[i] = str[len - i]; str[len - i] = buf; } } /* Implement Brute Force Search given file, and string to search for */ /* Search for string in text buffer (max 10000 chars) using lookup table */ /* returns pointer to the first instance of string */ /* or NULL on end of text... */ char *BruteSearch(const char *text, const char *string) { int len; /* length of string */ /* define the lookup table, using static insures it is set to NULL */ static char lookup[UCHAR_MAX+1]; /* UCHAR_MAX is defined in limits.h */ len = strlen(string); lookup[0] = 1; /* End of Text Process */ lookup[(unsigned char) (*string)] = 2; /* we found a match (yay!) */ for ( ;; text++ ) { switch ( lookup[(unsigned char) (*text)] ) { case 0 : break; /* It's not End of Text or a Match */ case 1 : return ( NULL ); /* End of Text Reached */ case 2 : if (strncmp( string + 1, text + 1, len - 1) == 0) return ( (char *) text ); /* we found a match */ default : break; } /* end switch (lookup[]) */ } /* end for text++ */ } /* end function BruteSearch */ /* Accepts a string to search for and a filename from the command line */ /* It then searches through the first 10000 characters of the file */ /* and prints the first 100 characters of the first match, if any */ /* and then quits... */ int main(int argc, char *argv[]) { char *search_for; /* text to search for */ char *filename; /* filename to search in */ char *site; /* site of text match */ char *buffer; /* buffer for filename */ int i; /* for loop counter */ int found; /* did we find something? */ int swift_table_len = sizeof(swift_table) / sizeof(swift_table[0]); /* calculate exact size of struct swift_table[] */ FILE *fin; /* for File I/O */ if (argc < 3) { fprintf(stderr, "Error! Usage: swift-main <string> <filename>\n"); return (EXIT_FAILURE); } else { search_for = argv[1]; filename = argv[2]; } if ((fin = fopen(filename, "r")) == NULL) { fprintf(stderr, "Error! Unable to open file %s\n", filename); return (EXIT_FAILURE); } buffer = calloc (1, 10001); /* allocate space for text buffer */ if (buffer == NULL) { /* Oops, we couldn't get the memory */ fprintf(stderr, "Error! Unable to allocate buffer space...\n"); return (EXIT_FAILURE); } fread ( buffer, 10000, 1, fin); /* read from file into buffer */ buffer = string_to_upper(buffer); found = 0; /* if found is 0, we didn't find anything */ printf("String before conversion is: %s\n", search_for); search_for = string_to_upper(search_for); printf("String after conversion is: %s\n\n", search_for); site = BruteSearch ( buffer, search_for ); /* start searching */ if (site == NULL) printf("Error! String: %s not found in first 10000 characters of file: %s\n\n", search_for, argv[2]); else { char solution[101]; strncpy ( solution, site - 50, 101 ); /* back up the pointer to get the data before */ solution[101] = '\0'; /* the search pattern and get chars after it */ found = 1; printf("\n\nFound Solution: %s\n", solution); } for (i = 0; i < swift_table_len; i++) { if (found == 1) { if (stricmp(search_for, swift_table[i].code) == 0) { /* we have a match */ printf("\n\nMatch Found...\n"); printf(" Institution[%d] is: %s\n", i, swift_table[i].institution); printf(" City[%d] is: %s\n", i, swift_table[i].city); printf(" Swift Code[%d] is: %s\n\n", i, swift_table[i].code); goto finish; } } /* if found == 1 */ } /* end for */ finish: fclose ( fin ); return (EXIT_SUCCESS); } C:\Temp> In this case, the search through the swift_table array is pretty much brute force, though if the swift codes were organized into alphabetical order, a binary search would limit the actual number of searches to no more than 10 items (based on a(n) array of < 1024 elements, and swift_table[] is currently 513 elements in file 'swftcode.h'. File Name Purpose swift-main.c Main source code file swift-main.h Header file for swift-main.c main-c.txt Data file containing swift code strings foobar Output from program execution with 5 different test cases Bill
Attachment:
main-c.txt
Description:
Attachment:
swift-main.c
Description:
Attachment:
swift-main.h
Description:
Attachment:
foobar
Description:
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PoC for Tracking Canada Bank Swift Codes Bill Parker (May 20)