[Snort-users] Quick Question: base64 snort options

Kevin Ross kevross33 at ...14012...
Thu Feb 24 08:12:42 EST 2011


Ah I see it does seem to work like that. I have inbound ones for testing for
some test commands (download, flood, scan etc) and it FPd on this:

Base64: YXIDZG93bmxvYWRzLnlhaG9vLmNvbQ--
Ascii: ardownloads.yahoo.com?

Inbound stuff was a test but outbound stuff like previously mentioned sigs,
would they work as I intend? If so some generic sigs for base64 encoded
common values seen in malware communications as a host tells the server
about itself.


On 24 February 2011 12:36, Kevin Ross <kevross33 at ...14012...> wrote:

> hey. I am wondering if I understand this right as I think this could be
> useful for these 2.9 snort options. If you specifcy a HTTP post and then
> base64 data followed by windows or service pack or some other phrase will
> snort then check the decoded base64 string whereever it may be for that
> string within the depth you specify such as:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
> Base64 XP SP Operating System Type Post"; flow:established,to_server;
> content:"POST"; http_method; base64_decode; base64_data; content:"XP SP";
> nocase; within:100; classtype:trojan-activity; sid:156006; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
> Base64 OS Windows Post"; flow:established,to_server; content:"POST";
> http_method; base64_decode; base64_data; content:"windows"; nocase;
> within:100; classtype:trojan-activity; sid:156008; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CNC Possible
> Base64 Windows Service Pack Post"; flow:established,to_server;
> content:"POST"; http_method; base64_decode; base64_data; content:"service
> pack"; nocase; within:100; classtype:trojan-activity; sid:156009; rev:1;)
>
> Just I was thinking if this was the case and with a little work they could
> be a generic detection for some malware CNC communication. i.e this sort of
> thing https://www.honeynet.org/node/539
>
> Am I on the right track or have I misunderstood how these rule options
> work? Thanks, Kev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110224/31acbe19/attachment.html>


More information about the Snort-users mailing list