[Bro] Bitwise Operations
Seth Hall
seth at icir.org
Tue May 27 10:27:13 PDT 2014
On May 27, 2014, at 12:01 PM, anthony kasza <anthony.kasza at gmail.com> wrote:
> In my mind malware C2 communications comes in three flavors.
> - repurposed HTTP (RFC compliant)
> - modified HTTP (just enough to make it not work with Bro's HTTP analyzer)
> - custom binary
Nice list. I think you've nailed it with these. Fortunately there has been work in progress for several years that should help address points 2 and 3. ;)
For the first case, it's possible to implement xor in scriptland (I attached an implementation to this email). I can't promise how well it will perform, but it's unlikely you'd be doing it constantly either.
> hooking events such as tcp_contents, the bitwise operator would be very handy but Bro's speed
> would likely be compromised.
Yeah, I *definitely* don't recommend that.
.Seth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xor.bro
Type: application/octet-stream
Size: 8772 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140527/d273d61a/attachment.obj
-------------- next part --------------
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140527/d273d61a/attachment.bin
More information about the Bro
mailing list