decode.c steps through a Snort signature changing the printable "content: |xx|" blocks to ASCII so that it is easier to read.
Using a sample (by Don Jackson of Secureworks) from Emerging Threats Virus rules:
dennis@ipa:~/projects/decode$ ./decode
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET|20|"; offset:0; depth:4; content:"User|2D|Agent|3A 20|Mozilla|2F|5|2E|0|20|Gecko|2F|20050212|20|Firefox|2F|1|2E|5|2E|0|2E|2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Rhifrem; sid:2008139; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET "; offset:0; depth:4; content:"User-Agent: Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Rhifrem; sid:2008139; rev:3;)
Using a sample (by Don Jackson of Secureworks) from Emerging Threats Virus rules:
dennis@ipa:~/projects/decode$ ./decode
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET|20|"; offset:0; depth:4; content:"User|2D|Agent|3A 20|Mozilla|2F|5|2E|0|20|Gecko|2F|20050212|20|Firefox|2F|1|2E|5|2E|0|2E|2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Rhifrem; sid:2008139; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET "; offset:0; depth:4; content:"User-Agent: Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Rhifrem; sid:2008139; rev:3;)
No comments:
Post a Comment