Monday, December 21, 2009

Rule2Alert Project Release

This is an idea I had a while ago and the Rule2Alert project implemented it (awesome work Josh)

Step1. Take a snort rule like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)

Step2. Create a pcap (packet capture file) or network traffic to trigger this rule.
(Mind you certain things like pcre are incredibly challenging to implement)

Why is this useful you say?
I can see many uses -

1) You can test your rules to make sure they work

2) You can determine if overlap exists between one or more different rule (therefore, consider disabling one, or merging the rule into one). This was a goal of one of the public community/EmergingThreats/Sourcefire project that I think has dropped off the radar since it was initially started.

3) You can also test other non-snort Intrusion Detection Engines for known signatures to determine how much overlap exists.

4) An attacker could also use this tool to do some sneaky things. I won't go into much detail here, but leave a comment if you think of anything.

More on the project from "New Project - Rule2Alert" at http://malforge.com/node/22 or get the source code from http://code.google.com/p/rule2alert/

Tuesday, December 8, 2009

Jsunpack-n update 0.3.1b: Functionality Updates

Today I am releasing a new version of jsunpack-n that fixes several different bugs and increases the functionality of jsunpack-n.

This release REQUIRES an up to date version of YARA (1.3 or greater), because the rules file makes use of the new rule syntax. If you experience problems compiling the YARA rules, this is likely the reason.

In this release, I added support for lastModified, which attackers have used in attacks to prevent analysis (this will only work if you use a pcap file), since it is part of the network traffic that an attacker sends from a malicious server.

Here is the full CHANGELOG below:

1) rule updates for yara 1.3 rule language
2) fixes in PDF JavaScript parsing
3) improvements to the tree structure, made appending children better
4) cmdline options for logging and temporary directories
5) additions to pre.js and post.js to handle App.eval, String.eval, and better definitions for Adobe version variables
6) handle document.write and document.writeln with multiple parameters