Snort mailing list archives
Re: question about a content string
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Fri, 29 Jul 2016 11:01:47 -0400
this rule is looking for a series of "\x41". Do you have a pcap? Alex McDonnell TALOS On Fri, Jul 29, 2016 at 10:53 AM, Scott Ellis <scorellis () gmail com> wrote:
I have run across the following content string in a rule that seems to be fp: |5C|x41|5C|x41|5C|x41|5C|x41 Here is the entire rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url, www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:1;) Searching a decompressed packet capture (which are gzip http) returns neither a string of hexidecimal : 5C 41 5C 41 ... nor a 41 41 41 41 (as the rule msg suggests) nor a \41\41\41 there are, however, at least 9 hexidecimal 41s within a 900 byte segment. According to the snort manual, "The binary data is _generally_ enclosed within the pipe (4#4) character and represented as bytecode" What is meant by "generally"? The most likely explanation of the x is that it's trying to say that it's hex, but the documentation <http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00451000000000000000>is unclear. So, at the end, here are my three questions: 1. does the "x" stand for hex? 2. is the "fast_pattern:only" keyword causing this thing to be way more sensitive than it should be to the presence of 41s? 3. What is the solution to this (multiple choice): A) is there already a rule for this threat in the GPL, B) should this rule be rewritten (if so, how), or C) Is this an irrelevant rule that should just be disabled? thanks. S. ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- question about a content string Scott Ellis (Jul 29)
- Re: question about a content string Joel Esler (jesler) (Jul 29)
- Re: question about a content string Alex McDonnell (Jul 29)