[Snort-devel] Feature Request - xor operator

Harley H bobb.harley at gmail.com
Fri Mar 1 09:48:16 EST 2019

Would it be possible to add an xor operator to Snort? I'm thinking it
could be part of a byte_test but of course defer to those who know better.

I'm encountering multiple malware families using random multi-byte xor
schemes with their C2 protocol. Having an xor operator would allow the key
to be extracted from the packet then tested against other bytes looking for
known plaintext.

I can put together some pcap and examples if that would be helpful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190301/b909657d/attachment.html>

More information about the Snort-devel mailing list