[Snort-sigs] DNS Reverse Shell sig

Dave Killion dave.killion at ...2420...
Wed Feb 4 16:06:52 EST 2015


The initial letter before the dash is part of the "label" (that 0x3A is
measuring) so yes - the fact you're counting 58 bytes total (between the
character class, the dash, and your pcre string) means you'll match on 0x3A
all the time.

In fact, you could probably remove the last pcre check entirely, since
doing that 0x3A check will perform the byte-count for you...

-Dave

On Wed Feb 04 2015 at 1:02:37 PM James Lay <jlay at ...3266...> wrote:

> On 2015-02-04 01:29 PM, rmkml wrote:
> > Thx James for sharing,
> >
> > Length is always the same, add 0x3A (dns length) like this ?
> > Add "-" for better performance ?
> > modify pcre to use relative?
> >
> alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS
> Shell"; content:"|01 00 00 01 00 00 00 00 00 00 3A|"; depth:11;
> offset:2; fast_pattern; content:"-"; within:1; distance:1;
> pcre:"/^[a-z0-9]{56}/Ri";
> reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html;
> classtype:bad-unknown; sid:10000150; rev:2;)
> >
> > Best Regards
> > @Rmkml
> >
> >
> > On Wed, 4 Feb 2015, James Lay wrote:
> >
> >> In my testing of
> >> http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html I
> >> noticed that during the reverse shell session a semi-constant showed
> >> up...namely a character followed by a dash, followed by 56 other
> >> characters.  Pretty sure this could be changed in the python code, but
> >> this will catch this in it's current form.  It will not fire on each
> >> and every dns query, but will most likely fire at least during the
> >> session.
> >>
> >> alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS
> >> Shell"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> >> fast_pattern; pcre:"/[a-z]-[a-z0-9]{56}/i";
> >> reference:url,lockboxx.blogspot.com/2015/01/python-reverse-
> dns-shell.html;
> >> classtype:bad-unknown; sid:10000150; rev:1;)
> >>
> >> This WILL most likely FP if you're looking for a domain that matches
> >> the above style, but I couldn't find any such domain in my logs.
> >> Enjoy.
> >>
> >> James
>
> That's a good idea..would that still catch the initial "[a-zA-Z]-" at
> the start though?  Or just the "-[a-z0-9]{56}"...thanks RM!
>
> James
>
> ------------------------------------------------------------
> ------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150204/ce09fcea/attachment.html>


More information about the Snort-sigs mailing list