[Snort-devel] Feature Request - xor operator
bobb.harley at gmail.com
Fri Mar 1 09:48:16 EST 2019
Would it be possible to add an xor operator to Snort? I'm thinking it
could be part of a byte_test but of course defer to those who know better.
I'm encountering multiple malware families using random multi-byte xor
schemes with their C2 protocol. Having an xor operator would allow the key
to be extracted from the packet then tested against other bytes looking for
I can put together some pcap and examples if that would be helpful.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel