Snort mailing list archives

Feature Request - xor operator

From: Harley H via Snort-devel <snort-devel () lists snort org>
Date: Fri, 1 Mar 2019 09:48:16 -0500

Hello,
Would it be possible to add an xor operator to Snort? I'm thinking it
could be part of a byte_test but of course defer to those who know better.

I'm encountering multiple malware families using random multi-byte xor
schemes with their C2 protocol. Having an xor operator would allow the key
to be extracted from the packet then tested against other bytes looking for
known plaintext.

I can put together some pcap and examples if that would be helpful.


-Harley

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Feature Request - xor operator Harley H via Snort-devel (Mar 01)
- Re: Feature Request - xor operator Joshua Kinard via Snort-devel (Mar 04)