"Fortunately there has been work in progress for several years that should help address points 2 and 3. ;)"

I assume you're talking about the dynamic plugin capability Robin is working on -- or is it something else? Are there any details you can share?

"For the first case, it's possible to implement xor in scriptland (I attached an implementation to this email).  I can't promise how well it will perform, but it's unlikely you'd be doing it constantly either."

Although you can implement all of the bitwise operators in bro language using arithmetic operators, it seems overly cumbersome to use them for operators that are implemented literally using one instruction in almost every hardware platform (that's not to say writing bro script will turn it into one instruction, it's just to say individual math operations are fast). And for my use case, which is specifically using it as part of the signature framework it's probably highly likely that it would be doing it constantly.

As an example (I wanted to make sure it would actually work), I created a test signature that used eval to call a bro function I wrote that used the ^ and & operators to detect a specific sequence that's seen during the handshake/setup of a piece of C2 and ran this on a canned sample pcap. It worked and fired off a signature match event. Obviously this is more anecdotal than anything else and would require further testing to ensure that my code isn't a massive false positive generator and would actually perform well on live traffic, but it shows that such operators have some potential. At the least, if not as individual operators, it'd be beneficial to create some built-in's that can take care of this at a lower level.

The caveat with what I've mentioned though is that all of this is just an idea right now that I'm still formulating the extent of and there's no actual plans for implementation anytime soon, so it's possible you guys might add some capability in the meantime to Bro that obviates the need for this.





On Tue, May 27, 2014 at 1:27 PM, Seth Hall <seth@icir.org> wrote:

On May 27, 2014, at 12:01 PM, anthony kasza <anthony.kasza@gmail.com> wrote:

> In my mind malware C2 communications comes in three flavors.
>  - repurposed HTTP (RFC compliant)
>  - modified HTTP (just enough to make it not work with Bro's HTTP analyzer)
>  - custom binary

Nice list.  I think you've nailed it with these.  Fortunately there has been work in progress for several years that should help address points 2 and 3. ;)

For the first case, it's possible to implement xor in scriptland (I attached an implementation to this email).  I can't promise how well it will perform, but it's unlikely you'd be doing it constantly either.

> hooking events such as tcp_contents, the bitwise operator would be very handy but Bro's speed
> would likely be compromised.

Yeah, I *definitely* don't recommend that.

  .Seth




--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/