Open bryant-smith opened 2 years ago
When you get a chance, can you proved a PoC signature that uses it. I'm trying to see how it would be useful, but I'm obviously missing something.
Here's an example I was thinking. In this rule I can check for the DNS Query Type of TXT and then check to see if the length of the domain name is greater than 50 characters. If that passes then the regex checks for base64 encoding. This way there's a small check before moving onto regex.
I still think this will only really be useful when dealing with json data. A split
function could also be handy here to split apart the subdomain from the domain and tld into an array. The json_len
could then be checked against the subdomain in the array.
alert any $HOME_NET any -> $HOME_NET any (msg:"[MSDNS] Possible DNS Tunneling via TXT Query"; \
program:msdns; \
json_content:".SendReceiveIndicator","Snd"; \
json_content:".QuestionType",TXT; \
json_len:".QuestionName",>50; \
json_pcre:".QuestionName","/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/"; \
classtype:suspicious-traffic; sid:5555555; rev:1;)
Perfect. So what would be the valid operators?
>, < and =
?
I guess to cover everything something like:
<, >, =, <=, >=
and !
to be able to prefix any of those operators for negation.
len: [< > =] , <value> ;
It may only be use when dealing with json data but can be useful as a quick check before moving on.