[Bro] Bitwise Operations

Seth Hall seth at icir.org
Tue May 27 10:27:13 PDT 2014

On May 27, 2014, at 12:01 PM, anthony kasza <anthony.kasza at gmail.com> wrote:

> In my mind malware C2 communications comes in three flavors.
>  - repurposed HTTP (RFC compliant)
>  - modified HTTP (just enough to make it not work with Bro's HTTP analyzer)
>  - custom binary

Nice list.  I think you've nailed it with these.  Fortunately there has been work in progress for several years that should help address points 2 and 3. ;)

For the first case, it's possible to implement xor in scriptland (I attached an implementation to this email).  I can't promise how well it will perform, but it's unlikely you'd be doing it constantly either.

> hooking events such as tcp_contents, the bitwise operator would be very handy but Bro's speed
> would likely be compromised.

Yeah, I *definitely* don't recommend that.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: xor.bro
Type: application/octet-stream
Size: 8772 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140527/d273d61a/attachment.obj 
-------------- next part --------------

Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140527/d273d61a/attachment.bin 

More information about the Bro mailing list