[Snort-devel] Feature Request - xor operator

Joshua Kinard kumba at gentoo.org
Mon Mar 4 04:43:23 EST 2019

On 3/1/2019 09:48, Harley H via Snort-devel wrote:
> Hello,
> Would it be possible to add an xor operator to Snort? I'm thinking it
> could be part of a byte_test but of course defer to those who know better.
> I'm encountering multiple malware families using random multi-byte xor
> schemes with their C2 protocol. Having an xor operator would allow the key
> to be extracted from the packet then tested against other bytes looking for
> known plaintext.
> I can put together some pcap and examples if that would be helpful.
> -Harley

I have a patch, somewhere, that I wrote a few years back that added two new
keywords, "xor_decode" and "xor_data".  It was modeled after the
base64_decode/data keywords, and they enable xor decoding with keys up to
unsigned 64bit ints.  One can use a static key supplied w/ xor_decode, or a
dynamic key of a specific length at offset, searching forwards or backwards in
the packet.

Can't do anything for keys beyond eight bytes because I was trying to take
advantage of native CPU register sizes and chomping the packet at four- or
eight-byte intervals.  So the code is really specific to this approach,
versus being smarter and handling arbitrary-sized keys.  That's an area that
could be improved upon.

The patch was last synced against snort-, so it's quite a bit
out of date.  Might be possible to sync it up to newer Snort-2.9.x releases,
but I won't have time to test that out for a few weeks.  If anyone wants to
mess with the copy, let me know and I'll look for where I
stashed it and post to the mailing list.

Joshua Kinard
kumba at gentoo.org
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

More information about the Snort-devel mailing list