[Snort-sigs] question about a content string

Joel Esler (jesler) jesler at ...3865...
Fri Jul 29 11:10:05 EDT 2016


Scott,

I answered this question yesterday, did you get my answer?

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintelligence.com <http://www.talosintelligence.com/>

> On Jul 29, 2016, at 10:53 AM, Scott Ellis <scorellis at ...2420...> wrote:
> 
> I have run across the following content string in a rule that seems to be fp:
> |5C|x41|5C|x41|5C|x41|5C|x41
> 
> Here is the entire rule:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html <http://www.darkreading.com/security/vulnerabilities/221901428/index.html>; classtype:shellcode-detect; sid:2013273; rev:1;)
> 
> Searching a decompressed packet capture (which are gzip http) returns neither a string of hexidecimal :
> 5C 41 5C 41 ...
> 
> nor a 41 41 41 41 (as the rule msg suggests)
> nor a \41\41\41
> 
> there are, however, at least 9 hexidecimal 41s within a 900 byte segment.
> 
> According to the snort manual, "The binary data is _generally_ enclosed within the pipe (4#4) character and represented as bytecode"
> 
> What is meant by "generally"?  The most likely explanation of the x is that it's trying to say that it's hex, but the documentation  <http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00451000000000000000>is unclear.
> 
> So, at the end, here are my three questions:
> 1. does the "x" stand for hex?
> 2. is the "fast_pattern:only" keyword causing this thing to be way more sensitive than it should be to the presence of 41s?
> 3. What is the solution to this (multiple choice): A) is there already a rule for this threat in the GPL, B) should this rule be rewritten (if so, how), or C) Is this an irrelevant rule that should just be disabled?
> 
> thanks.
> S.
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160729/34995b95/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160729/34995b95/attachment.sig>


More information about the Snort-sigs mailing list