Feature #5798
openNew transformation: dropbytes
Description
I coded a new transformation, and want to know if there is interest to merge this into Suricata.
One of the problems this new transformation helps with: detecting obfuscated code.
Like this downloaded code: cm^d.exe /k power^shell.exe -Encodedcommand AAAAAAAAAAAAAAAAAAAA
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Dropbytes file.data cm^d.exe test"; flow:established,to_client; file.data; dropbytes:"^"; content:"cmd.exe"; sid:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Dropbytes file.data power^shell test"; flow:established,to_client; file.data; dropbytes:"^"; content:"powershell"; sid:2
;)
Character ^ can be used to bypass detection of Windows commands, by adding this character at arbitrary places in the command.
Transformation dropbytes:"^"; removes this ^ character.
This transformation can also help with UNICODE detection, quick & dirty solution: remove al NUL bytes. dropbytes:"|00|";
Files
Updated by Peter Manev almost 2 years ago
Yes there is. This can improve detection techniques.
Is it possible to create an MR ? Would love to test it.
Updated by Didier Stevens almost 2 years ago
- File dropbytes.rules dropbytes.rules added
- File powershell-filedata.pcap powershell-filedata.pcap added
- File powershell-headers.pcap powershell-headers.pcap added
I did create a PR:
https://github.com/OISF/suricata/pull/8386
Attached are my test files.
Updated by Philippe Antoine almost 2 years ago
- Status changed from New to In Review