Snort mailing list archives
Feature Request - xor operator
From: Harley H via Snort-devel <snort-devel () lists snort org>
Date: Fri, 1 Mar 2019 09:48:16 -0500
Hello, Would it be possible to add an xor operator to Snort? I'm thinking it could be part of a byte_test but of course defer to those who know better. I'm encountering multiple malware families using random multi-byte xor schemes with their C2 protocol. Having an xor operator would allow the key to be extracted from the packet then tested against other bytes looking for known plaintext. I can put together some pcap and examples if that would be helpful. -Harley
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Feature Request - xor operator Harley H via Snort-devel (Mar 01)
- Re: Feature Request - xor operator Joshua Kinard via Snort-devel (Mar 04)