quadrantsec
commented
2 years ago When you get a chance, can you proved a PoC signature that uses it. I'm trying to see how it would be useful, but I'm obviously missing something.
Open bryant-smith opened 2 years ago
quadrantsec
commented
2 years ago When you get a chance, can you proved a PoC signature that uses it. I'm trying to see how it would be useful, but I'm obviously missing something.
bryant-smith
commented
2 years ago Here's an example I was thinking. In this rule I can check for the DNS Query Type of TXT and then check to see if the length of the domain name is greater than 50 characters. If that passes then the regex checks for base64 encoding. This way there's a small check before moving onto regex.
I still think this will only really be useful when dealing with json data. A split function could also be handy here to split apart the subdomain from the domain and tld into an array. The json_len could then be checked against the subdomain in the array.
alert any $HOME_NET any -> $HOME_NET any (msg:"[MSDNS] Possible DNS Tunneling via TXT Query"; \
program:msdns; \
json_content:".SendReceiveIndicator","Snd"; \
json_content:".QuestionType",TXT; \
json_len:".QuestionName",>50; \
json_pcre:".QuestionName","/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/"; \
classtype:suspicious-traffic; sid:5555555; rev:1;)Perfect. So what would be the valid operators?
>, < and = ?
bryant-smith
commented
2 years ago I guess to cover everything something like:
<, >, =, <=, >= and ! to be able to prefix any of those operators for negation.
len: [< > =] , <value> ;It may only be use when dealing with json data but can be useful as a quick check before moving on.