Monday, April 11, 2011

Detecting PECOFF EXE/DLL files with Snort

Some time ago, I became interested in parsing the PECOFF file format. As a result, I authored several different Snort rules to detect the transfer of either an EXE or DLL file of different varieties. Listed below are rules for both i386/32-bit and x86-64-bit. Additionally, there is a set of rules for UPX Packed EXE files.

Hopefully readers and Snort fans will find these useful.

# i386 32-bit EXE over TCP
log tcp any any -> any any (msg:"LOCAL: i386 PE32 EXE File Xfer"; flowbits:isnotset,upx.exe.packed; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; flowbits:unset,upx.exe.packed; sid:4963001; rev:1;)

# i386 32-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 DLL File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963002; rev:1;)

# x86 64-bit EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963101; rev:1;)

# x86 64-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963102; rev:1;)

# UPX Packed EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over TCP"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963201; rev:1;)

# UPX Packed EXE over UDP
alert udp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over UDP"; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963301; rev:1;)

2 comments:

keshy said...

Hi!

Thanks for sharing this. I just tested these out and works great!

I was looking for something similar to do with snort and was having a tough time figuring out the patterns from reading the documentation.

Could you elaborate more on how these rules work and what assumptions are being made about the binaries? Is this signature set for each packet on the exe file download?

Mary Baxter said...

And as practice shows, some programs require the installation of the dll, which are not included in the standard Windows library. I had a similar situation with http://fix4dll.com/msvcr110_dll dll file. It can help when you've just installed game or soft.