Draft
Conversation
Add a method that accepts an integer value and logs a hex value along with unittests
This module adds the windows_pe detection keyword and metadata logging with unittests that exercise its functionality. These changes provide functions for a C-shim that registers and uses the detection/logging.
Member
|
If we parse the PE in detection, we parse it again in logging, right? Can we store the parsed result in the File structure? |
| alert http any any -> any any (msg:"Windows PE file detected"; \ | ||
| flow:established,to_client; \ | ||
| file.data; content:"MZ"; startswith; \ | ||
| windows_pe:; \ |
| alert http any any -> any any (msg:"x86_64 PE detected"; \ | ||
| flow:established,to_client; \ | ||
| file.data; content:"MZ"; startswith; \ | ||
| windows_pe: architecture: x86_64; \ |
Member
There was a problem hiding this comment.
I don't think we use this syntax else where, in other places it would be windows_pe: arch x86_64; (so no : inside the keyword arguments)
| alert http any any -> any any (msg:"Packed x64 PE"; \ | ||
| flow:established,to_client; \ | ||
| file.data; content:"MZ"; startswith; \ | ||
| windows_pe: architecture: x86_64, size: >100000, sections: <4, entry_point: <4096; \ |
Member
There was a problem hiding this comment.
I wonder if we should break this out into per sub option keywords, so they can be simpler and well as easier to optimize with things like prefiltering/fast_pattern
Contributor
Author
There was a problem hiding this comment.
Meaning having keywords like "windows_pe_arch", "windows_pe_size", etc?
C-shim for integrating windows_pe keyword into the detection engine.
Log windows_pe metadata for alerts and fileinfo objects.
Add documentation for the windows_pe keyword including example rules.
jlucovsky
force-pushed
the
executable/1
branch
from
f2cb9b8 to
a0b2f29
Compare
|
Information: QA ran without warnings. Pipeline = 29808 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[Draft] Add a windows_pe keyword for detecting Windows Portable Executable (PE) files with metadata matching capabilities.
Rule keyword:
where
See https://learn.microsoft.com/en-us/windows/win32/debug/pe-format for values.
Here are some examples
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
Describe changes:
Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=