Some time ago, I became interested in parsing the PECOFF file format. As a result, I authored several different Snort rules to detect the transfer of either an EXE or DLL file of different varieties. Listed below are rules for both i386/32-bit and x86-64-bit. Additionally, there is a set of rules for UPX Packed EXE files.
Hopefully readers and Snort fans will find these useful.
# i386 32-bit EXE over TCP
log tcp any any -> any any (msg:"LOCAL: i386 PE32 EXE File Xfer"; flowbits:isnotset,upx.exe.packed; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; flowbits:unset,upx.exe.packed; sid:4963001; rev:1;)
# i386 32-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 DLL File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963002; rev:1;)
# x86 64-bit EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963101; rev:1;)
# x86 64-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963102; rev:1;)
# UPX Packed EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over TCP"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963201; rev:1;)
# UPX Packed EXE over UDP
alert udp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over UDP"; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963301; rev:1;)
3 comments:
Hi!
Thanks for sharing this. I just tested these out and works great!
I was looking for something similar to do with snort and was having a tough time figuring out the patterns from reading the documentation.
Could you elaborate more on how these rules work and what assumptions are being made about the binaries? Is this signature set for each packet on the exe file download?
And as practice shows, some programs require the installation of the dll, which are not included in the standard Windows library. I had a similar situation with http://fix4dll.com/msvcr110_dll dll file. It can help when you've just installed game or soft.
Gambling at thirteen, enjoying in} poker together with his associates for small stakes after college. Weber, who's 32 now, and a New Jersey native, grew up within the wake of the Moneymaker effect—a growth in poker interest sparked when a 27-year-old accountant from Tennessee, Chris Moneymaker, received the 2003 World Series of Poker, taking house $2.5 million. Weber has at all 1xbet times obsessed over sports activities, particularly basketball, and poker appealed to his aggressive instincts; it played weekly on ESPN too. So whereas it was Weber’s love of sports activities that received him into playing, he didn’t gamble on sports activities right away—that came later, at 18.
Post a Comment