[Bro] Bitwise Operations

M K mkhan04 at gmail.com
Fri May 23 22:26:27 PDT 2014


Well, one reason would be to aid in detecting malware c2 traffic that can't
be detected with simple signatures or regular math operations.

As a grossly simplified example, imagine you've reverse engineered a piece
of c2 malware and have figured out what their handshake protocol looks
like. This malware always puts a key somewhere in the packet and then uses
that key to xor data in other parts of the packet. This method would be
used as a simple traffic obfuscation technique to prevent traditional
signature detection.

As it stands there's very little way (frankly, no way) for Bro to detect
this sort of stuff (and that was my response when someone asked if we could
implement something in Bro to detect some c2 traffic we're trying to track).

Assuming you have the full range of the bro language to leverage in the
signature framework's eval function, this is pretty much a requirement for
writing more advanced signatures and one of the reasons Snort introduced
Shared Object Rules into their system (
http://blog.snort.org/2011/02/snort-shared-object-rules.html).


On Sat, May 24, 2014 at 12:31 AM, Vern Paxson <vern at icir.org> wrote:

> > Looks like it wouldn't be too difficult to add bitwise operators that
> work
> > on integral types (int and count)
>
> Sure.  But can you please sketch a compelling use case for which it's
> important to add this functionality?  That's the general bar for deciding
> what sort of features to add.
>
>                 Vern
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140524/b0312e46/attachment.html 


More information about the Bro mailing list