[Snort-users] Quick Question: base64 snort options

Kevin Ross kevross33 at ...14012...
Thu Feb 24 07:36:48 EST 2011


hey. I am wondering if I understand this right as I think this could be
useful for these 2.9 snort options. If you specifcy a HTTP post and then
base64 data followed by windows or service pack or some other phrase will
snort then check the decoded base64 string whereever it may be for that
string within the depth you specify such as:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
Base64 XP SP Operating System Type Post"; flow:established,to_server;
content:"POST"; http_method; base64_decode; base64_data; content:"XP SP";
nocase; within:100; classtype:trojan-activity; sid:156006; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
Base64 OS Windows Post"; flow:established,to_server; content:"POST";
http_method; base64_decode; base64_data; content:"windows"; nocase;
within:100; classtype:trojan-activity; sid:156008; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
Base64 Windows Service Pack Post"; flow:established,to_server;
content:"POST"; http_method; base64_decode; base64_data; content:"service
pack"; nocase; within:100; classtype:trojan-activity; sid:156009; rev:1;)

Just I was thinking if this was the case and with a little work they could
be a generic detection for some malware CNC communication. i.e this sort of
thing https://www.honeynet.org/node/539

Am I on the right track or have I misunderstood how these rule options work?
Thanks, Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110224/e52bc053/attachment.html>


More information about the Snort-users mailing list