hzrat_handshake.lua describes the lua script to do a bytewise xor operation on the payload of a suricata packet.
local bit = require("bit")
function init(args)
local needs = {}
needs["payload"] = tostring(true)
return needs
end
function match(args)
local a = tostring(args["payload"])
v1 = bit.bxor(a:byte(1), a:byte(3))
v2 = bit.bxor(a:byte(2), a:byte(4))
--SCLogNotice(string.format("%x",v1))
-- SCLogNotice(string.format("%x",v2))
if v1 == 0x69 and v2 == 0xa4 then
return 1
end
return 0
end
return 0
The following suricata rule will take usage of the lua script above:
alert tcp any any -> any any (msg:"HZRat handshake detected"; luajit:hzrat_handshake.lua; dsize: 4; classtype:trojan-activity; sid:1009999; rev:1;)