├── README.md
├── suri-reversed-compressed-binary.lua
├── suri-nuclear-url.lua
├── tls-heartbleed.lua
├── suri-bh2-abc-jar.lua
├── suri-styx-url.lua
├── CVE-2015-1770.lua
├── suri-high-entropy.lua
├── CVE-2015-3113.lua
├── CVE-2015-2375.lua
├── CVE-2015-2377.lua
├── CVE-2015-2558.lua
├── suri-regin.lua
├── CVE-2015-1650.lua
├── CVE-2016-0056.lua
├── CVE-2015-2426.lua
├── suri-xbagging-xor.lua
├── CVE-2015-1641.lua
├── suri-xor-non-zero.lua
├── experimental.rules
├── CVE-2015-6132.lua
├── CVE-2014-4114.lua
├── suri-suspicious-pack200jar.lua
├── CVE-2013-0074.lua
├── CVE-2012-1535.lua
├── suri-suspicious-jar.lua
├── suri-xor-binary-detect.lua
├── suri-suspicious-vbe.lua
├── suri-xor-binary-quick.lua
├── luajit-drop.rules
├── luajit.rules
├── suri-suspicious-pdf.lua
├── suri-suspicious-jar2.lua
└── dyndomains-only.txt


/README.md:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/suri-reversed-compressed-binary.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | 
 3 |     This program is free software; you can redistribute it and/or modify
 4 |     it under the terms of the GNU General Public License as published by
 5 |     the Free Software Foundation; either version 2 of the License, or
 6 |     (at your option) any later version.
 7 | 
 8 |     This program is distributed in the hope that it will be useful,
 9 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
10 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 |     GNU General Public License for more details.
12 | 
13 |     You should have received a copy of the GNU General Public License along
14 |     with this program; if not, write to the Free Software Foundation, Inc.,
15 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
16 | 
17 | Requirements:
18 | 
19 |     #lua-zlib
20 |     https://github.com/brimworks/lua-zlib
21 |    
22 | This lua script can be run standalone and verbosely on a suspicious file with
23 | echo "run()" | luajit -i <script name> <file>
24 | 
25 | Will Metcalf
26 | Chris Wakelin
27 | --]]
28 | 
29 | local lz = require 'zlib'
30 | function init (args)
31 |     local needs = {}
32 |     needs["http.response_body"] = tostring(true)
33 |     return needs
34 | end
35 | 
36 | function common(t,verbose)
37 |     rtn = 0
38 | --- Look for zlib magic
39 |     if string.sub(t,-1) == "\120" then
40 |         stream = lz.inflate()
41 |         ustream, eof, bytes_in, uncompressed_len = stream(string.reverse(t))
42 |         if string.sub(ustream,1,2) == "MZ" then
43 |             rtn = 1
44 |             if (verbose==1) then
45 |                 print('Found Reversed Compressed MZ')
46 |             end
47 |         end
48 |     end
49 |     return rtn
50 | end
51 | 
52 | -- return match via table
53 | function match(args)
54 |     local t = tostring(args["http.response_body"])
55 |     return common(t,0)
56 | end
57 | 
58 | function run()
59 |   local f = io.open(arg[1])
60 |   local t = f:read("*all")
61 |   f:close()
62 |   if common(t,1) == 1 then print("Found Suspicious file in " .. arg[1]) end
63 | end
64 | 


--------------------------------------------------------------------------------
/suri-nuclear-url.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | #  Copyright (c) 2003-2013, Emerging Threats
 4 | #  All rights reserved.
 5 | #  
 6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 7 | #  following conditions are met:
 8 | #  
 9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
10 | #    disclaimer.
11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
14 | #    from this software without specific prior written permission.
15 | #  
16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
23 | #
24 | #*************************************************************
25 | 
26 | This lua script can be run standalone and verbosely on a URI with
27 | echo "run()" | lua -i <script name> <URI>
28 | 
29 | Chris Wakelin
30 | --]]
31 | 
32 | function init (args)
33 |     local needs = {}
34 |     needs["http.uri"] = tostring(true)
35 |     return needs
36 | end
37 | 
38 | -- return match via table
39 | function common(a,verbose)
40 |     if verbose == 1 then print("Checking URI " .. a) end
41 | 
42 |     a = a:gsub("%.%w+$","")
43 |     a = a:gsub("[A-Z_-]","")
44 |     a = a:gsub("^(/%x*)/.*","%1")
45 |     if verbose == 1 then print("URI after stripping is " .. a) end
46 | 
47 |     if a:find("^/%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x$",1,false)  then
48 |         if verbose == 1 then print("URI matches Nuclear pattern") end
49 |         return 1
50 |     end
51 | 
52 |     return 0
53 | end
54 | 
55 | -- return match via table
56 | function match(args)
57 |     local t = tostring(args["http.uri"])
58 |     return common(t,0)
59 | end
60 | 
61 | function run()
62 |   local t = arg[1]
63 |   common(t,1)
64 | end
65 | 


--------------------------------------------------------------------------------
/tls-heartbleed.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | #  Copyright (c) 2014, Victor Julien <victor@inliniac.net> 
 4 | #  All rights reserved.
 5 | #  
 6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 7 | #  following conditions are met:
 8 | #  
 9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
10 | #    disclaimer.
11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
14 | #    from this software without specific prior written permission.
15 | #  
16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
23 | #
24 | #*************************************************************
25 | 
26 | Victor Julien
27 | --]]
28 | 
29 | function init (args)
30 |     local needs = {}
31 |     needs["payload"] = tostring(true)
32 |     return needs
33 | end
34 | 
35 | function match(args)
36 |     local p = args['payload']
37 |     if p == nil then
38 |         --print ("no payload")
39 |         return 0
40 |     end
41 |  
42 |     if #p < 8 then
43 |         --print ("payload too small")
44 |     end
45 |     if (p:byte(1) ~= 24) then
46 |         --print ("not a heartbeat")
47 |         return 0
48 |     end
49 |  
50 |     -- message length
51 |     len = 256 * p:byte(4) + p:byte(5)
52 |     --print (len)
53 |  
54 |     -- heartbeat length
55 |     hb_len = 256 * p:byte(7) + p:byte(8)
56 | 
57 |     -- 1+2+16
58 |     if (1+2+16) >= len  then
59 |         ---print ("invalid length heartbeat")
60 |         return 1
61 |     end
62 | 
63 |     -- 1 + 2 + payload + 16
64 |     if (1 + 2 + hb_len + 16) > len then
65 |         --print ("heartbleed attack detected: " .. (1 + 2 + hb_len + 16) .. " > " .. len)
66 |         return 1
67 |     end
68 |     --print ("no problems")
69 |     return 0
70 | end
71 | return 0
72 | 


--------------------------------------------------------------------------------
/suri-bh2-abc-jar.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | #  Copyright (c) 2003-2012, Emerging Threats
 4 | #  All rights reserved.
 5 | #  
 6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 7 | #  following conditions are met:
 8 | #  
 9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
10 | #    disclaimer.
11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
14 | #    from this software without specific prior written permission.
15 | #  
16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
23 | #
24 | #*************************************************************
25 | --]]
26 | 
27 | require("zip")
28 | 
29 | function init (args)
30 |     local needs = {}
31 |     needs["http.response_body"] = tostring(true)
32 |     return needs
33 | end
34 | 
35 | 
36 | -- return match via table
37 | function match(args)
38 | 
39 |     rtn = 0
40 | 
41 |     t = tostring(args["http.response_body"])
42 |     tmpname = os.tmpname()
43 |     tmp = io.open(tmpname,'w')
44 |     tmp:write(t)
45 |     tmp:close()
46 | 
47 |     numfiles = 0
48 |     stub = {}
49 | 
50 |     z = zip.open(tmpname)
51 | 
52 |     if z then 
53 |         for w in z:files() do
54 |             numfiles = numfiles + 1
55 |             fstub = string.find(w.filename,"[a-c].class",1,false)
56 |             if fstub then
57 |                 stub[w.filename:sub(fstub,fstub)] = w.filename:sub(1,fstub-1)
58 |             end
59 |         end
60 |         z:close()
61 |     end
62 |     if stub["a"] and stub["b"] and stub["c"] and (numfiles < 10) then
63 |         if (stub["a"] == stub["b"]) and (stub["b"] == stub["c"]) and (string.len(stub["a"]) > 3) then
64 |             rtn = 1
65 |         end
66 |     end
67 |     os.remove(tmpname)
68 |     return rtn
69 | end
70 | 


--------------------------------------------------------------------------------
/suri-styx-url.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | #  Copyright (c) 2003-2013, Emerging Threats
 4 | #  All rights reserved.
 5 | #  
 6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 7 | #  following conditions are met:
 8 | #  
 9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
10 | #    disclaimer.
11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
14 | #    from this software without specific prior written permission.
15 | #  
16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
23 | #
24 | #*************************************************************
25 | 
26 | This lua script can be run standalone and verbosely on a URI
27 | echo "run()" | lua -i <script name> <URI>
28 | 
29 | It's based on research at http://malwarebiopsy.blogspot.co.uk/2013/06/styx-exploit-kit-pattern-emerges.html
30 | 
31 | Chris Wakelin
32 | --]]
33 | 
34 | function init (args)
35 |     local needs = {}
36 |     needs["http.uri"] = tostring(true)
37 |     return needs
38 | end
39 | 
40 | -- return match via table
41 | function common(a,verbose)
42 |     if verbose == 1 then print("Checking URI " .. a) end
43 | 
44 |     a = a:gsub("/%w+%.%w+$","")
45 |     a = a:gsub("[/_%-]","")
46 |     if verbose == 1 then print("URI after stripping is " .. a) end
47 | 
48 |     if #a < 200 or (#a % 5) ~= 1 then return 0 end
49 |     if verbose == 1 then print("URI is right length " .. #a) end
50 | 
51 |     if a:find("^%w%w%w%w%w%w",1,false) and string.gsub(a:sub(7),"[01]%w%w%w%w","") == "" then
52 |         if verbose == 1 then print("URI matches Styx pattern") end
53 |         return 1
54 |     end
55 | 
56 |     return 0
57 | end
58 | 
59 | -- return match via table
60 | function match(args)
61 |     local t = tostring(args["http.uri"])
62 |     return common(t,0)
63 | end
64 | 
65 | function run()
66 |   local t = arg[1]
67 |   common(t,1)
68 | end
69 | 


--------------------------------------------------------------------------------
/CVE-2015-1770.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 |     This program is free software; you can redistribute it and/or modify
 3 |     it under the terms of the GNU General Public License as published by
 4 |     the Free Software Foundation; either version 2 of the License, or
 5 |     (at your option) any later version.
 6 |     This program is distributed in the hope that it will be useful,
 7 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
 8 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 9 |     GNU General Public License for more details.
10 |     You should have received a copy of the GNU General Public License along
11 |     with this program; if not, write to the Free Software Foundation, Inc.,
12 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
13 | Detection for CVE-2015-1770 expects Compressed Office Doc (e.g., docx)
14 | This lua script can be run standalone and verbosely on a Flash file with
15 | echo "run()" | luajit -i <script name> <office file>
16 | Jason Williams
17 | Darien Huss
18 | --]]
19 | 
20 | require("zip")
21 | 
22 | function init (args)
23 |     local needs = {}
24 |     needs["http.response_body"] = tostring(true)
25 |     return needs
26 | end
27 | 
28 | --http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
29 | function HexDumpString(str,spacer)
30 |     return (
31 |     string.gsub(str,"(.)",
32 |     function (c)
33 |         return string.format("%02X%s",string.byte(c), spacer or "\\")
34 |     end)
35 |     )
36 | end
37 | 
38 | function doc_handler(t,verbose)
39 |     rtn = 0
40 |     tmpname = os.tmpname()
41 |     
42 |     tmp = io.open(tmpname,'w')
43 |     tmp:write(t)
44 |     tmp:close()
45 | 
46 |     z,err = zip.open(tmpname)
47 |     local buffers = {}
48 |     if z then
49 |         for w in z:files() do
50 |             if string.find(w.filename,"/activeX/activeX%d+\.xml") then
51 |                 f = z:open(w.filename);
52 |                 u = f:read("*all")
53 |                 --convert to lowercase
54 |                 u = u:lower()
55 |                 f:close()
56 |                 if (verbose==1) then print("Checking " .. w.filename) end
57 |                 if string.find(u,"{cddbcc7c-be18-4a58-9cbf-d62a012272ce}",0,true) then
58 |                   rtn2 = 1
59 |                 end
60 |                 if (verbose == 0) then
61 |                     if rtn2 == 1 then return 1 end
62 |                 end
63 |                 if rtn2 == 1 then rtn = rtn2 end
64 |             end
65 |         end
66 |     end
67 |     if err then print(err) end
68 |     if z then z:close() end
69 |     os.remove(tmpname)
70 |     return rtn
71 | end
72 | 
73 | function common(t,o,verbose)
74 |     rtn = 0
75 |     if string.sub(t,1,4) == "PK\003\004" then
76 |         rtn = doc_handler(t,verbose)
77 |     end
78 |     return rtn 
79 | end
80 | 
81 | function match(args)
82 |     local t = tostring(args["http.response_body"])
83 |     local o = args["offset"]
84 |     return common(t,o,0)
85 | end
86 | 
87 | function run()
88 |   local f = io.open(arg[1])
89 |   local t = f:read("*all")
90 |   f:close()
91 |   common(t,4,1)
92 | end


--------------------------------------------------------------------------------
/suri-high-entropy.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | #  Copyright (c) 2003-2013, Emerging Threats
 4 | #  All rights reserved.
 5 | #  
 6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 7 | #  following conditions are met:
 8 | #  
 9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
10 | #    disclaimer.
11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
14 | #    from this software without specific prior written permission.
15 | #  
16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
23 | #
24 | #*************************************************************
25 | 
26 | This lua script can be run standalone and verbosely on a binary file with
27 | echo "run()" | lua -i <script name> <binary file>
28 | 
29 | Chris Wakelin
30 | --]]
31 | 
32 | function init (args)
33 |     local needs = {}
34 |     needs["http.response_body"] = tostring(true)
35 |     return needs
36 | end
37 | 
38 | -- return match via table
39 | function common(a,verbose)
40 |     local result = {}
41 | 
42 |     if #a < 10240 then 
43 |         return 0
44 |     end
45 | 
46 | -- how much of file to check
47 |     l = #a
48 | --    l=10240
49 | 
50 |     V={}
51 |     for i = 1, 256, 1 do
52 |       V[i] = 0
53 |      end
54 |     for i = 1, l, 1 do
55 |       V[a:byte(i) + 1] = V[a:byte(i) + 1] + 1
56 |     end
57 |     c = 0
58 |     log2 = math.log(2)
59 |     for i = 1, 256, 1 do
60 |       p = V[i]/l
61 |       if p > 0 then
62 |         c = c - (p * math.log(p)/log2)
63 |       end
64 |     end
65 |     if verbose==1 then print("Entropy is " .. c) end
66 |     if c > 7.7 then 
67 |       return 1
68 |     end
69 |     return 0
70 | end
71 | 
72 | -- return match via table
73 | function match(args)
74 |     local t = tostring(args["http.response_body"])
75 |     return common(t,0)
76 | end
77 | 
78 | function run()
79 |   local f = io.open(arg[1])
80 |   local t = f:read("*all")
81 |   f:close()
82 |   common(t,1)
83 | end
84 | 


--------------------------------------------------------------------------------
/CVE-2015-3113.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | # Copyright (c) 2003-2015, Emerging Threats/Proofpoint
 4 | # All rights reserved.
 5 | #
 6 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
 7 | # following conditions are met:
 8 | #
 9 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
10 | # disclaimer.
11 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
12 | # following disclaimer in the documentation and/or other materials provided with the distribution.
13 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
14 | # from this software without specific prior written permission.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
17 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
21 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
22 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 | #
24 | #*************************************************************
25 | Detection for CVE-2015-3113
26 | Darien Huss
27 | --]]
28 | 
29 | local struct = require 'struct'
30 | local bit = require 'bit'
31 | 
32 | function init(args)
33 | 	local needs = {}
34 | 	needs["http.response_body"] = tostring(true)
35 | 	return needs
36 | end
37 | 
38 | function match(args)
39 | 	local t = tostring(args["http.response_body"])
40 | 	if t == nil then
41 | 		return 0
42 | 		--print ("no payload")
43 | 	end
44 | 	return common(t,0)
45 | end
46 | 
47 | function common(t,verbose)
48 | 	local len = string.len(t)
49 | 	local offset = struct.unpack(">I4",string.sub(t,6,9))
50 | 	offset = offset + 4
51 | 	local tag_type
52 | 	local tmp_sound
53 | 	local soundformat
54 | 	local soundsize
55 | 	while offset + 1 < len do
56 | 		tag_type = string.byte(t,offset+1)
57 | 		tag_size = struct.unpack(">I3",string.sub(t,offset+2,offset+4))
58 | 		if tag_type == 8 then
59 | 			tmp_sound = string.byte(t,offset+12)
60 | 			soundformat = bit.rshift(bit.band(tmp_sound,240),4)
61 | 			soundsize = bit.rshift(bit.band(tmp_sound,2),1)
62 | 			if (soundformat == 4 or soundformat == 5 or soundformat == 6) and 
63 | 				soundsize == 0 and tag_size > 1024 then
64 | 				if verbose == 1 then print("Found possible CVE-2015-3113 in FLV") end
65 | 				return 1
66 | 			end
67 | 		end
68 | 		offset = offset + tag_size + 15
69 | 	end
70 | 	if verbose == 1 then print("Did not find anything suspicious...") end
71 | 	return 0
72 | end
73 | 
74 | function run()
75 |   local f = io.open(arg[1])
76 |   local t = f:read("*all")
77 |   f:close()
78 |   common(t,1)
79 | end


--------------------------------------------------------------------------------
/CVE-2015-2375.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 |     This program is free software; you can redistribute it and/or modify
 3 |     it under the terms of the GNU General Public License as published by
 4 |     the Free Software Foundation; either version 2 of the License, or
 5 |     (at your option) any later version.
 6 |     This program is distributed in the hope that it will be useful,
 7 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
 8 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 9 |     GNU General Public License for more details.
10 |     You should have received a copy of the GNU General Public License along
11 |     with this program; if not, write to the Free Software Foundation, Inc.,
12 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
13 | Detection for CVE-2015-2375 expects Compressed Office Doc (e.g., docx)
14 | This lua script can be run standalone and verbosely on a Flash file with
15 | echo "run()" | luajit -i <script name> <office file>
16 | Darien Huss
17 | --]]
18 | 
19 | require("zip")
20 | 
21 | function init (args)
22 |     local needs = {}
23 |     needs["http.response_body"] = tostring(true)
24 |     return needs
25 | end
26 | 
27 | --http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
28 | function HexDumpString(str,spacer)
29 |     return (
30 |     string.gsub(str,"(.)",
31 |     function (c)
32 |         return string.format("%02X%s",string.byte(c), spacer or "\\")
33 |     end)
34 |     )
35 | end
36 | 
37 | function doc_handler(t,verbose)
38 |     rtn = 0
39 |     tmpname = os.tmpname()
40 |     
41 |     tmp = io.open(tmpname,'w')
42 |     tmp:write(t)
43 |     tmp:close()
44 | 
45 |     z,err = zip.open(tmpname)
46 |     local buffers = {}
47 |     if z then
48 |         for w in z:files() do
49 |             if string.find(w.filename,"xl/tables/table%d+\.xml") then
50 |                 f = z:open(w.filename);
51 |                 u = f:read("*all")
52 |                 --convert to lowercase
53 |                 u = u:lower()
54 |                 f:close()
55 |                 if (verbose==1) then print("Checking " .. w.filename) end
56 |                 if string.find(u,"<x14:table",0,true) and string.find(u,"</x14:table>",0,true) then
57 |                     for table in string.gmatch(u,"<x14:table[^>]*>(.-)</x14:table>") do
58 |                         if string.len(table) >= 1976713 then
59 |                             rtn2 = 1
60 |                         end
61 |                     end
62 |                 end
63 |                 if (verbose == 0) then
64 |                     if rtn2 == 1 then return 1 end
65 |                 end
66 |                 if rtn2 == 1 then rtn = rtn2 end
67 |             end
68 |         end
69 |     end
70 |     if err then print(err) end
71 |     if z then z:close() end
72 |     os.remove(tmpname)
73 |     return rtn
74 | end
75 | 
76 | function common(t,o,verbose)
77 |     rtn = 0
78 |     if string.sub(t,1,4) == "PK\003\004" then
79 |         rtn = doc_handler(t,verbose)
80 |     end
81 |     return rtn 
82 | end
83 | 
84 | function match(args)
85 |     local t = tostring(args["http.response_body"])
86 |     local o = args["offset"]
87 |     return common(t,o,0)
88 | end
89 | 
90 | function run()
91 |   local f = io.open(arg[1])
92 |   local t = f:read("*all")
93 |   f:close()
94 |   common(t,4,1)
95 | end


--------------------------------------------------------------------------------
/CVE-2015-2377.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 |     This program is free software; you can redistribute it and/or modify
  3 |     it under the terms of the GNU General Public License as published by
  4 |     the Free Software Foundation; either version 2 of the License, or
  5 |     (at your option) any later version.
  6 | 
  7 |     This program is distributed in the hope that it will be useful,
  8 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
  9 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 10 |     GNU General Public License for more details.
 11 | 
 12 |     You should have received a copy of the GNU General Public License along
 13 |     with this program; if not, write to the Free Software Foundation, Inc.,
 14 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 15 | 
 16 | Detection for CVE-2015-2377 expects XLSX
 17 | 
 18 | This lua script can be run standalone and verbosely on a Flash file with
 19 | echo "run()" | luajit -i <script name> <xlsx file>
 20 | 
 21 | Will Metcalf
 22 | Chris Wakelin
 23 | Francis Trudeau
 24 | --]]
 25 | 
 26 | require("zip")
 27 | 
 28 | function init (args)
 29 |     local needs = {}
 30 |     needs["http.response_body"] = tostring(true)
 31 |     return needs
 32 | end
 33 | 
 34 | 
 35 | 
 36 | function find_legend_count(u,filename,verbose)
 37 |     local rtn = 0
 38 | 
 39 |     legendelements = string.gfind(u, "<c:legend.-</c:legend[^E]")
 40 |     for s in legendelements do
 41 |         if string.match(s, "<c:legendPos") then
 42 |             if (verbose==1) then print ("Valid legend") end
 43 |         else
 44 |             if (verbose==1) then print ("Possible CVE-2015-2377 found") end
 45 |             rtn = 1
 46 |         end
 47 |     end
 48 | end
 49 | 
 50 | function xls_handler(t,verbose)
 51 |     rtn = 0
 52 |     tmpname = os.tmpname()
 53 |     
 54 |     tmp = io.open(tmpname,'w')
 55 |     tmp:write(t)
 56 |     tmp:close()
 57 | 
 58 |     z,err = zip.open(tmpname)
 59 |     local buffers = {}
 60 |     if z then
 61 |         for w in z:files() do
 62 |             if string.find(w.filename,"xl/charts/",1,true) then
 63 |                 f = z:open(w.filename);
 64 |                 u = f:read("*all")
 65 |                 f:close()
 66 |                 if (verbose==1) then print("Checking " .. w.filename) end
 67 |                     rtn2 = find_legend_count(u,w.filename,verbose)
 68 |                     if (verbose == 0) then
 69 |                         if rtn2 == 1 then return 1 end
 70 |                     end
 71 |                     if rtn2 == 1 then rtn = rtn2 end
 72 |                 end
 73 |             end
 74 |     end
 75 |     if err then print(err) end
 76 |     if z then z:close() end
 77 |     os.remove(tmpname)
 78 |     return rtn
 79 | end
 80 | 
 81 | function common(t,o,verbose)
 82 |     rtn = 0
 83 |     if string.sub(t,1,4) == "PK\003\004" then
 84 |         rtn = xls_handler(t,verbose)
 85 |     end
 86 |     return rtn 
 87 | end
 88 | 
 89 | function match(args)
 90 |     local t = tostring(args["http.response_body"])
 91 |     local o = args["offset"]
 92 |     return common(t,o,0)
 93 | end
 94 | 
 95 | function run()
 96 |   local f = io.open(arg[1])
 97 |   local t = f:read("*all")
 98 |   f:close()
 99 |   common(t,4,1)
100 | end
101 | 


--------------------------------------------------------------------------------
/CVE-2015-2558.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 |     This program is free software; you can redistribute it and/or modify
 3 |     it under the terms of the GNU General Public License as published by
 4 |     the Free Software Foundation; either version 2 of the License, or
 5 |     (at your option) any later version.
 6 |     This program is distributed in the hope that it will be useful,
 7 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
 8 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 9 |     GNU General Public License for more details.
10 |     You should have received a copy of the GNU General Public License along
11 |     with this program; if not, write to the Free Software Foundation, Inc.,
12 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
13 | Detection for CVE-2015-2558 expects Compressed Office Excel (e.g., xlsx)
14 | This lua script can be run standalone and verbosely on a Flash file with
15 | echo "run()" | luajit -i <script name> <office file>
16 | Darien Huss
17 | --]]
18 | 
19 | require("zip")
20 | 
21 | function init (args)
22 |     local needs = {}
23 |     needs["http.response_body"] = tostring(true)
24 |     return needs
25 | end
26 | 
27 | --http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
28 | function HexDumpString(str,spacer)
29 |     return (
30 |     string.gsub(str,"(.)",
31 |     function (c)
32 |         return string.format("%02X%s",string.byte(c), spacer or "\\")
33 |     end)
34 |     )
35 | end
36 | 
37 | function doc_handler(t,verbose)
38 |     rtn = 0
39 |     tmpname = os.tmpname()
40 |     
41 |     tmp = io.open(tmpname,'w')
42 |     tmp:write(t)
43 |     tmp:close()
44 | 
45 |     z,err = zip.open(tmpname)
46 |     local buffers = {}
47 |     if z then
48 |         for w in z:files() do
49 |             if string.find(w.filename,"xl/workbook.xml",0,true) then
50 |                 f = z:open(w.filename);
51 |                 u = f:read("*all")
52 |                 --convert to lowercase
53 |                 u = u:lower()
54 |                 f:close()
55 |                 if (verbose==1) then print("Checking " .. w.filename) end
56 |                 if string.find(u,"</fileversion>",0,true) and string.find(u,"<fileversion",0,true) then
57 |                     for table in string.gmatch(u,"<fileversion[^>]*>(.-)</fileversion>") do
58 |                         if string.len(table) >= 2625 then
59 |                             if (verbose==1) then print("Found possible CVE-2015-2558") end
60 |                             rtn2 = 1
61 |                         end
62 |                     end
63 |                 end
64 |                 if (verbose == 0) then
65 |                     if rtn2 == 1 then return 1 end
66 |                 end
67 |                 if rtn2 == 1 then rtn = rtn2 end
68 |             end
69 |         end
70 |     end
71 |     if err then print(err) end
72 |     if z then z:close() end
73 |     os.remove(tmpname)
74 |     return rtn
75 | end
76 | 
77 | function common(t,o,verbose)
78 |     rtn = 0
79 |     if string.sub(t,1,4) == "PK\003\004" then
80 |         rtn = doc_handler(t,verbose)
81 |     end
82 |     return rtn 
83 | end
84 | 
85 | function match(args)
86 |     local t = tostring(args["http.response_body"])
87 |     local o = args["offset"]
88 |     return common(t,o,0)
89 | end
90 | 
91 | function run()
92 |   local f = io.open(arg[1])
93 |   local t = f:read("*all")
94 |   f:close()
95 |   common(t,4,1)
96 | end


--------------------------------------------------------------------------------
/suri-regin.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | # Copyright (c) 2003-2013, Emerging Threats
 4 | # All rights reserved.
 5 | #
 6 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
 7 | # following conditions are met:
 8 | #
 9 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
10 | # disclaimer.
11 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
12 | # following disclaimer in the documentation and/or other materials provided with the distribution.
13 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
14 | # from this software without specific prior written permission.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
17 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
21 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
22 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 | #
24 | #*************************************************************
25 | Detection for Regin malware
26 | http://symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf
27 | http://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf
28 | Darien Huss
29 | Will Metcalf
30 | --]]
31 | 
32 | local apr = require 'apr.core'
33 | 
34 | function init (args)
35 | 	local needs = {}
36 | 	needs["payload"] = tostring(true)
37 | 	return needs
38 | end
39 | 
40 | function match(args)
41 | 	local p = tostring(args["payload"])
42 | 	if p == nil then
43 | 		return 0
44 | 		--print ("no payload")
45 | 	end
46 | 	return common(p,0)
47 | end
48 | 
49 | function common(p,verbose)
50 | 
51 | 	--need to correct base64 string with appended equal signs if needed
52 | 	base64_append = #p % 4
53 | 
54 | 	if base64_append == 1 then
55 | 		--print("Invalid base64 encoded length")
56 | 		return 0
57 | 	elseif base64_append == 2 then
58 | 		p = p .. "=="
59 | 	elseif base64_append == 3 then
60 | 		p = p .. "="
61 | 	end
62 | 	p = string.gsub(p, "%.", "+")
63 | 	p = string.gsub(p, "_", "/")
64 | 
65 | 	decodedata = tostring(apr.base64_decode(p))
66 | 
67 | 	if ((decodedata:byte(1) == 1 and #decodedata == decodedata:byte(2)) or 
68 | 		(decodedata:byte(1) ~= 1 and #decodedata == decodedata:byte(5))) and
69 | 		decodedata:byte(9) == string.byte('s') and
70 | 		decodedata:byte(18) == string.byte('h') and
71 | 		decodedata:byte(27) == string.byte('i') and
72 | 		decodedata:byte(36) == string.byte('t') then
73 | 			if verbose == 1 then print("Data matches Regin init struct") end
74 | 			return 1
75 | 	end
76 | 	if verbose == 1 then print("Data does not match Regin init struct") end
77 | 	return 0
78 | end
79 | 
80 | function run()
81 | 	local t = arg[1]
82 | 	common(t,1)
83 | end
84 | 


--------------------------------------------------------------------------------
/CVE-2015-1650.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 |     This program is free software; you can redistribute it and/or modify
  3 |     it under the terms of the GNU General Public License as published by
  4 |     the Free Software Foundation; either version 2 of the License, or
  5 |     (at your option) any later version.
  6 | 
  7 |     This program is distributed in the hope that it will be useful,
  8 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
  9 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 10 |     GNU General Public License for more details.
 11 | 
 12 |     You should have received a copy of the GNU General Public License along
 13 |     with this program; if not, write to the Free Software Foundation, Inc.,
 14 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 15 | 
 16 | Detection for CVE-2015-1650 expects DOCX
 17 | 
 18 | This lua script can be run standalone and verbosely on a Flash file with
 19 | echo "run()" | luajit -i <script name> <docx file>
 20 | 
 21 | Darien Huss
 22 | --]]
 23 | 
 24 | require("zip")
 25 | 
 26 | function init (args)
 27 |     local needs = {}
 28 |     needs["http.response_body"] = tostring(true)
 29 |     return needs
 30 | end
 31 | 
 32 | --http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
 33 | function HexDumpString(str,spacer)
 34 |     return (
 35 |     string.gsub(str,"(.)",
 36 |     function (c)
 37 |         return string.format("%02X%s",string.byte(c), spacer or "\\")
 38 |     end)
 39 |     )
 40 | end
 41 | 
 42 | function docx_handler(t,verbose)
 43 |     rtn = 0
 44 |     tmpname = os.tmpname()
 45 |     
 46 |     tmp = io.open(tmpname,'w')
 47 |     tmp:write(t)
 48 |     tmp:close()
 49 | 
 50 |     z,err = zip.open(tmpname)
 51 |     local buffers = {}
 52 |     if z then
 53 |         for w in z:files() do
 54 |             if string.find(w.filename,"word/numbering.xml",1,true) then
 55 |                 f = z:open(w.filename);
 56 |                 u = f:read("*all")
 57 |                 --convert to lowercase
 58 |                 u = u:lower()
 59 |                 f:close()
 60 |                 if (verbose==1) then print("Checking " .. w.filename) end
 61 |                     --search for unique content first for performance, all matches lowercase
 62 |                     if string.find(u,'<w:lvljc') then
 63 |                         --search each lvlJc for invalid combinations of inner tags
 64 |                         for lvlJcTag in string.gmatch(u,'<w:lvljc(.-)</w:lvljc>') do
 65 |                             --if invalid combination found, alert
 66 |                             if string.find(lvlJcTag,'<w:num') then
 67 |                                 rtn2 = 1
 68 |                             end
 69 |                         end
 70 |                     end
 71 |                     if (verbose == 0) then
 72 |                         if rtn2 == 1 then return 1 end
 73 |                     end
 74 |                     if rtn2 == 1 then rtn = rtn2 end
 75 |                 end
 76 |             end
 77 |     end
 78 |     if err then print(err) end
 79 |     if z then z:close() end
 80 |     os.remove(tmpname)
 81 |     return rtn
 82 | end
 83 | 
 84 | function common(t,o,verbose)
 85 |     rtn = 0
 86 |     if string.sub(t,1,4) == "PK\003\004" then
 87 |         rtn = docx_handler(t,verbose)
 88 |     end
 89 |     return rtn 
 90 | end
 91 | 
 92 | function match(args)
 93 |     local t = tostring(args["http.response_body"])
 94 |     local o = args["offset"]
 95 |     return common(t,o,0)
 96 | end
 97 | 
 98 | function run()
 99 |   local f = io.open(arg[1])
100 |   local t = f:read("*all")
101 |   f:close()
102 |   common(t,4,1)
103 | end
104 | 


--------------------------------------------------------------------------------
/CVE-2016-0056.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 |     This program is free software; you can redistribute it and/or modify
  3 |     it under the terms of the GNU General Public License as published by
  4 |     the Free Software Foundation; either version 2 of the License, or
  5 |     (at your option) any later version.
  6 | 
  7 |     This program is distributed in the hope that it will be useful,
  8 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
  9 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 10 |     GNU General Public License for more details.
 11 | 
 12 |     You should have received a copy of the GNU General Public License along
 13 |     with this program; if not, write to the Free Software Foundation, Inc.,
 14 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 15 | 
 16 | Detection for CVE-2016-0056 expects DOCX
 17 | 
 18 | This lua script can be run standalone and verbosely on a Flash file with
 19 | echo "run()" | luajit -i <script name> <docx file>
 20 | 
 21 | Francis Trudeau
 22 | With no help from Darien even though he loves LUA.
 23 | 
 24 | --]]
 25 | 
 26 | require("zip")
 27 | 
 28 | function init (args)
 29 |     local needs = {}
 30 |     needs["http.response_body"] = tostring(true)
 31 |     return needs
 32 | end
 33 | 
 34 | --http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
 35 | function HexDumpString(str,spacer)
 36 |     return (
 37 |     string.gsub(str,"(.)",
 38 |     function (c)
 39 |         return string.format("%02X%s",string.byte(c), spacer or "\\")
 40 |     end)
 41 |     )
 42 | end
 43 | 
 44 | function docx_handler(t,verbose)
 45 |     rtn = 0
 46 |     tmpname = os.tmpname()
 47 |     
 48 |     tmp = io.open(tmpname,'w')
 49 |     tmp:write(t)
 50 |     tmp:close()
 51 | 
 52 |     z,err = zip.open(tmpname)
 53 |     local buffers = {}
 54 |     if z then
 55 |         for w in z:files() do
 56 |             if string.find(w.filename,"word/_rels/webSettings.xml.rels",1,true) then
 57 |                 f = z:open(w.filename);
 58 |                 u = f:read("*all")
 59 |                 --convert to lowercase
 60 |                 u = u:lower()
 61 |                 f:close()
 62 |                 if (verbose==1) then print("Checking " .. w.filename) end
 63 |                     --search for unique content first for performance, all matches lowercase
 64 |                     if string.find(u,".docx",0,true) and string.find(u,"http://",0,true) and string.find(u,"targetmode",0,true) and string.find(u,"frame",0,true) then
 65 |  
 66 |                         for capture in string.gmatch(u, "(%b<>)") do 
 67 |                             if string.match(capture,"['\"]http://[^'\"]*%.docx",0) and string.match(u,"targetmode%s*=%s*['\"][^'\"]*external",0) then 
 68 |                                 rtn = 1
 69 |                             end
 70 |                         end
 71 |                     if (verbose == 1) then print("Found possible CVE-2016-0056 in DOCX") end
 72 |                     end
 73 |                 end
 74 |             end
 75 |     end
 76 |     if err then print(err) end
 77 |     if z then z:close() end
 78 |     os.remove(tmpname)
 79 |     return rtn
 80 | end
 81 | 
 82 | function common(t,o,verbose)
 83 |     rtn = 0
 84 |     if string.sub(t,1,4) == "PK\003\004" then
 85 |         rtn = docx_handler(t,verbose)
 86 |     end
 87 |     return rtn 
 88 | end
 89 | 
 90 | function match(args)
 91 |     local t = tostring(args["http.response_body"])
 92 |     local o = args["offset"]
 93 |     return common(t,o,0)
 94 | end
 95 | 
 96 | function run()
 97 |   local f = io.open(arg[1])
 98 |   local t = f:read("*all")
 99 |   f:close()
100 |   common(t,4,1)
101 | end
102 | 


--------------------------------------------------------------------------------
/CVE-2015-2426.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 |     This program is free software; you can redistribute it and/or modify
 3 |     it under the terms of the GNU General Public License as published by
 4 |     the Free Software Foundation; either version 2 of the License, or
 5 |     (at your option) any later version.
 6 |     This program is distributed in the hope that it will be useful,
 7 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
 8 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 9 |     GNU General Public License for more details.
10 |     You should have received a copy of the GNU General Public License along
11 |     with this program; if not, write to the Free Software Foundation, Inc.,
12 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
13 | Detection for CVE-2015-2426
14 | This lua script can be run standalone and verbosely on an OTF
15 | echo "run()" | luajit -i <script name> <otf file>
16 | Darien Huss
17 | --]]
18 | 
19 | local struct = require 'struct'
20 | 
21 | function init (args)
22 |     local needs = {}
23 |     needs["http.response_body"] = tostring(true)
24 |     return needs
25 | end
26 | 
27 | function otf_handler(t,verbose)
28 |     local lW3Qtm = 0
29 |     local m3Kh4A4p,endpos = string.find(string.sub(t,1,512),"GPOS",8,true)
30 |     if m3Kh4A4p then
31 |         if (verbose==1) then print("Checking for exploit...") end
32 |         local XBQl1ZKlz3WML = struct.unpack(">I4",string.sub(t,m3Kh4A4p+8,m3Kh4A4p+12))
33 |         local JWPNj9vwtEJd = struct.unpack(">I4",string.sub(t,m3Kh4A4p+12,m3Kh4A4p+16))
34 |         local c42Z5feS8Aor = string.sub(t,XBQl1ZKlz3WML+1,XBQl1ZKlz3WML+JWPNj9vwtEJd)
35 |         local OMxfqj = struct.unpack(">I2",string.sub(c42Z5feS8Aor,9,10))+1
36 |         local QQccb57IymQt = struct.unpack(">I2",string.sub(c42Z5feS8Aor,OMxfqj,OMxfqj+1))
37 |         local ZyYotB2iiDoO6 = 1
38 |         while ZyYotB2iiDoO6 <= QQccb57IymQt do
39 |             local M9TVRXZ4evo = (ZyYotB2iiDoO6*2)+OMxfqj
40 |             local k37vOs3gCkod = struct.unpack(">I2",string.sub(c42Z5feS8Aor,M9TVRXZ4evo,M9TVRXZ4evo+1))+OMxfqj
41 |             local S3zBIF4IaXj = struct.unpack(">I2",string.sub(c42Z5feS8Aor,k37vOs3gCkod,k37vOs3gCkod+1))
42 |             if S3zBIF4IaXj == 2 then
43 |                 local SAPn14ROAXSjH = struct.unpack(">I2",string.sub(c42Z5feS8Aor,k37vOs3gCkod+4,k37vOs3gCkod+5))
44 |                 local mnk4bl9w5 = 1
45 |                 while mnk4bl9w5 <= SAPn14ROAXSjH do
46 |                     local TLAxob22Vbkpx = (mnk4bl9w5*2)+k37vOs3gCkod+4
47 |                     local tUKUTX = struct.unpack(">I2",string.sub(c42Z5feS8Aor,TLAxob22Vbkpx,TLAxob22Vbkpx+1))+k37vOs3gCkod
48 |                     local DiWQxNh94SS = struct.unpack(">I2",string.sub(c42Z5feS8Aor,tUKUTX,tUKUTX+1))
49 |                     if DiWQxNh94SS == 2 then
50 |                         if struct.unpack(">I2",string.sub(c42Z5feS8Aor,tUKUTX+12,tUKUTX+13)) == 0 or
51 |                             struct.unpack(">I2",string.sub(c42Z5feS8Aor,tUKUTX+14,tUKUTX+15)) == 0 then
52 |                             lW3Qtm = 1
53 |                             if (verbose==1) then print("Found exploit...") end
54 |                         end
55 |                     end
56 |                     mnk4bl9w5 = mnk4bl9w5 + 1
57 |                 end
58 |             end
59 |             ZyYotB2iiDoO6 = ZyYotB2iiDoO6 + 1
60 |         end
61 |     end
62 |     return lW3Qtm
63 | end
64 | 
65 | function common(t,o,verbose)
66 |     rtn = 0
67 |     rtn = otf_handler(t,verbose)
68 |     return rtn
69 | end
70 | 
71 | function match(args)
72 |     local t = tostring(args["http.response_body"])
73 |     local o = args["offset"]
74 |     return common(t,o,0)
75 | end
76 | 
77 | function run()
78 |   local f = io.open(arg[1])
79 |   local t = f:read("*all")
80 |   f:close()
81 |   common(t,4,1)
82 | end


--------------------------------------------------------------------------------
/suri-xbagging-xor.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | #  Copyright (c) 2003-2013, Emerging Threats
 4 | #  All rights reserved.
 5 | #  
 6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 7 | #  following conditions are met:
 8 | #  
 9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
10 | #    disclaimer.
11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
14 | #    from this software without specific prior written permission.
15 | #  
16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
23 | #
24 | #*************************************************************
25 | 
26 | This lua script can be run standalone and verbosely on a binary file with
27 | echo "run()" | lua -i <script name> <binary file>
28 | 
29 | Chris Wakelin
30 | --]]
31 | 
32 | function init (args)
33 |     local needs = {}
34 |     needs["http.response_body"] = tostring(true)
35 |     return needs
36 | end
37 | 
38 | -- return match via table
39 | function common(a,verbose)
40 |     local bit = require("bit")
41 | 
42 |     key = {}
43 | 
44 |     if #a < 1024 then 
45 |         return 0
46 |     end
47 | 
48 | -- Usually bytes 0x28 to 0x3b are 0-padding,
49 | -- so may actually contain the Key; decode PE offset at 0x3c and check
50 | -- it points to bytes that then decode to PE|00 00|
51 | -- 7,8,9,10,11,12 also cover their divisors 1 - 6, but include 4 four safety
52 | 
53 |     key_lengths = {4,5,6,7,8,9,10,11,12,13,14,15,16}
54 | 
55 |     for n, l in pairs(key_lengths) do
56 | 
57 |         koffset = ((l-(0x28 % l)) % l)
58 | 
59 |         for i = 0, l-1, 1 do
60 |            key[i+1] = bit.bxor(a:byte(0x28+1+((i+koffset) % l)),(0x28+((i+koffset) % l)))
61 |         end
62 |         
63 | 
64 |         pe = bit.bxor(bit.bxor(a:byte(0x3c+1), key[1+(0x3c % l)]), 0x3c)
65 |         if verbose==1 then print("Trying " .. l .. "-byte XOR key; PE block at " .. pe) end
66 |         if ((pe < 256) and (pe < #a-4)) then
67 |             offset = pe % l
68 |             if (bit.bxor(bit.bxor(a:byte(pe+1), key[offset+1]), pe) == string.byte('P')) and 
69 |                (bit.bxor(bit.bxor(a:byte(pe+2), key[((1+offset)%l)+1]), pe+1) == string.byte('E')) then
70 |                 if verbose==1 then print("Found " .. l .. "-byte XOR key; PE block at " .. pe) end
71 |                 return 1
72 |             end
73 |         end
74 |     end
75 | 
76 |     return 0
77 | end
78 | 
79 | 
80 | -- return match via table
81 | function match(args)
82 |     local t = tostring(args["http.response_body"])
83 |     return common(t,0)
84 | end
85 | 
86 | function run()
87 |   local f = io.open(arg[1])
88 |   local t = f:read("*all")
89 |   f:close()
90 |   common(t,1)
91 | end
92 | 


--------------------------------------------------------------------------------
/CVE-2015-1641.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 |     This program is free software; you can redistribute it and/or modify
  3 |     it under the terms of the GNU General Public License as published by
  4 |     the Free Software Foundation; either version 2 of the License, or
  5 |     (at your option) any later version.
  6 | 
  7 |     This program is distributed in the hope that it will be useful,
  8 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
  9 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 10 |     GNU General Public License for more details.
 11 | 
 12 |     You should have received a copy of the GNU General Public License along
 13 |     with this program; if not, write to the Free Software Foundation, Inc.,
 14 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 15 | 
 16 | Detection for CVE-2015-1641 expects DOCX
 17 | 
 18 | This lua script can be run standalone and verbosely on a Flash file with
 19 | echo "run()" | luajit -i <script name> <docx file>
 20 | 
 21 | Darien Huss
 22 | --]]
 23 | 
 24 | require("zip")
 25 | 
 26 | function init (args)
 27 |     local needs = {}
 28 |     needs["http.response_body"] = tostring(true)
 29 |     return needs
 30 | end
 31 | 
 32 | --http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
 33 | function HexDumpString(str,spacer)
 34 |     return (
 35 |     string.gsub(str,"(.)",
 36 |     function (c)
 37 |         return string.format("%02X%s",string.byte(c), spacer or "\\")
 38 |     end)
 39 |     )
 40 | end
 41 | 
 42 | function docx_handler(t,verbose)
 43 |     rtn = 0
 44 |     tmpname = os.tmpname()
 45 |     
 46 |     tmp = io.open(tmpname,'w')
 47 |     tmp:write(t)
 48 |     tmp:close()
 49 | 
 50 |     z,err = zip.open(tmpname)
 51 |     local buffers = {}
 52 |     if z then
 53 |         for w in z:files() do
 54 |             if string.find(w.filename,"word/document.xml",1,true) then
 55 |                 f = z:open(w.filename);
 56 |                 u = f:read("*all")
 57 |                 --convert to lowercase
 58 |                 u = u:lower()
 59 |                 f:close()
 60 |                 if (verbose==1) then print("Checking " .. w.filename) end
 61 |                     --search for unique content first for performance, all matches lowercase
 62 |                     if string.find(u,'w:displacedbycustomxml="prev"') then
 63 |                         --search each smartTag for invalid combinations of inner tags
 64 |                         for smartTag in string.gmatch(u,'<w:smarttag(.-)</w:smarttag>') do
 65 |                             --if invalid combination found, alert
 66 |                             if string.find(smartTag,'<w:permstart[^>]+w:displacedbycustomxml="prev"') then
 67 |                                 rtn2 = 1
 68 |                             end
 69 |                         end
 70 |                     end
 71 |                     if (verbose == 0) then
 72 |                         if rtn2 == 1 then return 1 end
 73 |                     end
 74 |                     if rtn2 == 1 then rtn = rtn2 end
 75 |                 end
 76 |             end
 77 |     end
 78 |     if err then print(err) end
 79 |     if z then z:close() end
 80 |     os.remove(tmpname)
 81 |     return rtn
 82 | end
 83 | 
 84 | function common(t,o,verbose)
 85 |     rtn = 0
 86 |     if string.sub(t,1,4) == "PK\003\004" then
 87 |         rtn = docx_handler(t,verbose)
 88 |     end
 89 |     return rtn 
 90 | end
 91 | 
 92 | function match(args)
 93 |     local t = tostring(args["http.response_body"])
 94 |     local o = args["offset"]
 95 |     return common(t,o,0)
 96 | end
 97 | 
 98 | function run()
 99 |   local f = io.open(arg[1])
100 |   local t = f:read("*all")
101 |   f:close()
102 |   common(t,4,1)
103 | end
104 | 


--------------------------------------------------------------------------------
/suri-xor-non-zero.lua:
--------------------------------------------------------------------------------
 1 | --[[
 2 | #*************************************************************
 3 | #  Copyright (c) 2003-2013, Emerging Threats
 4 | #  All rights reserved.
 5 | #  
 6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 7 | #  following conditions are met:
 8 | #  
 9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
10 | #    disclaimer.
11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
14 | #    from this software without specific prior written permission.
15 | #  
16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
23 | #
24 | #*************************************************************
25 | 
26 | This lua script can be run standalone and verbosely on a binary file with
27 | echo "run()" | lua -i <script name> <binary file>
28 | 
29 | Chris Wakelin
30 | --]]
31 | 
32 | function init (args)
33 |     local needs = {}
34 |     needs["http.response_body"] = tostring(true)
35 |     return needs
36 | end
37 | 
38 | function xor0(byte, key)
39 |    local bit = require("bit")
40 |    if byte == key or byte == 0 then
41 |        return byte
42 |    end
43 |    return bit.bxor(byte,key)
44 | end
45 | 
46 | -- return match via table
47 | function common(a,verbose)
48 |     local result = {}
49 |     local bit = require("bit")
50 | 
51 |     if #a < 1024 then 
52 |         return 0
53 |     end
54 | 
55 | -- Check for XOR with 0 and XOR-key bytes left alone
56 | -- PE offset is (nearly?) always divisible by 8, so key lengths 1,2,4 will always be detected
57 | -- Can match other key lengths in some cases where the remainder on dividing into 0x3c is 0,1,2 or 4
58 | -- and on dividing into the PE offset is 0 or 1 (or 4 when the key length is 5)
59 |     key = {xor0(a:byte(1), string.byte('M')), xor0(a:byte(2), string.byte('Z')), xor0(a:byte(3), 0x90), 0, xor0(a:byte(5), 0x03), 0, 0, 0}
60 | 
61 |     key_lengths = {1,3,5,6,7,8}
62 |     for n,l in pairs(key_lengths) do
63 |       
64 |         koffset = 0x3c % l
65 |         pe = xor0(a:byte(0x3c+1),key[1+koffset]) + (256*xor0(a:byte(0x3c+2),key[((1+koffset) % l) + 1]))
66 |         if verbose==1 then print("Trying PE header at " .. pe) end
67 | 
68 |         koffset = pe % l
69 |         if ((pe < 4096) and (pe < #a-4)) then
70 |             if xor0(a:byte(pe+1),key[1+koffset]) == string.byte('P') and
71 |                xor0(a:byte(pe+2),key[((1+koffset) % l) + 1]) == string.byte('E') and
72 |                a:byte(pe+3) == 0 and
73 |                a:byte(pe+4) == 0 then
74 |                 if verbose==1 then print("Found " .. l .. "-byte XOR-but-not-zero key " .. key[1] .. "," .. key[2] .. " - PE block at " .. pe) end
75 |                 return 1
76 |             end
77 |         end
78 |     end
79 | 
80 |     return 0
81 | end
82 | 
83 | -- return match via table
84 | function match(args)
85 |     local t = tostring(args["http.response_body"])
86 |     return common(t,0)
87 | end
88 | 
89 | function run()
90 |   local f = io.open(arg[1])
91 |   local t = f:read("*all")
92 |   f:close()
93 |   common(t,1)
94 | end
95 | 


--------------------------------------------------------------------------------
/experimental.rules:
--------------------------------------------------------------------------------
 1 | #*************************************************************
 2 | #  Copyright (c) 2003-2015, Emerging Threats
 3 | #  All rights reserved.
 4 | #  
 5 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 6 | #  following conditions are met:
 7 | #  
 8 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 9 | #    disclaimer.
10 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
11 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
12 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
13 | #    from this software without specific prior written permission.
14 | #  
15 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
16 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
17 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
18 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
19 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
20 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
21 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
22 | #
23 | #*************************************************************
24 | #
25 | # These are experimental rules using a combination of Lua and the "xbits" feature included in Suricata 2.1beta and later
26 | #
27 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL Flash file download (CWS)"; flow:established,from_server; file_data; content:"CWS"; within:3; xbits:set,ET.pluginfile,track ip_pair, expire 120; flowbits:noalert; classtype:bad-unknown; sid:380000001; rev:1;)
28 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL Flash file download (ZWS)"; flow:established,from_server; file_data; content:"ZWS"; within:3; xbits:set,ET.pluginfile,track ip_pair, expire 120; flowbits:noalert; classtype:bad-unknown; sid:380000002; rev:1;)
29 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL Possible SilverLight file download"; flow:established,from_server; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; nocase; xbits:set,ET.pluginfile,track ip_pair, expire 120; flowbits:noalert; classtype:bad-unknown; sid:380000003; rev:1;)
30 | #
31 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPERIMENTAL download with minimal headers after plugin file download (1)"; flow:to_server,established; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; xbits:isset,ET.pluginfile,track ip_pair; classtype:bad-unknown; sid:380000010; rev:1;)
32 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPERIMENTAL download with minimal headers after plugin file download (2)"; flow:to_server,established; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; xbits:isset,ET.pluginfile,track ip_pair; classtype:bad-unknown; sid:380000011; rev:1;)
33 | #
34 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL (data) download with high entropy after plugin file download"; flow:from_server,established; filesize:>10240; filemagic:"data"; filemagic:!" data"; xbits:isset,ET.pluginfile,track ip_pair; luajit:suri-high-entropy.lua; classtype:bad-unknown; sid:380000015; rev:1;)
35 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL (data) download with high entropy from dotted-quad host"; flow:from_server,established; filesize:>10240; filemagic:"data"; filemagic:!" data"; flowbits:isset,http.dottedquadhost; luajit:suri-high-entropy.lua; classtype:bad-unknown; sid:380000016; rev:1;)
36 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL XORed binary after plugin file download"; flow:from_server,established; file_data; content:!"MZ"; within:2; xbits:isset,ET.pluginfile,track ip_pair; luajit:suri-xor-binary-quick.lua; classtype:bad-unknown; sid:380000017; rev:1;)
37 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPERIMENTAL PE EXE or DLL binary after plugin file download"; flow:from_server,established; flowbits:isset,ET.http.binary; xbits:isset,ET.pluginfile,track ip_pair; threshold: type both, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:380000018; rev:1;)
38 | 


--------------------------------------------------------------------------------
/CVE-2015-6132.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 |     This program is free software; you can redistribute it and/or modify
  3 |     it under the terms of the GNU General Public License as published by
  4 |     the Free Software Foundation; either version 2 of the License, or
  5 |     (at your option) any later version.
  6 | 
  7 |     This program is distributed in the hope that it will be useful,
  8 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
  9 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 10 |     GNU General Public License for more details.
 11 | 
 12 |     You should have received a copy of the GNU General Public License along
 13 |     with this program; if not, write to the Free Software Foundation, Inc.,
 14 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 15 | 
 16 | Detection for CVE-2015-6132/6133 expects PPT or PPSX
 17 | 
 18 | This lua script can be run standalone and verbosely on a Flash file with
 19 | echo "run()" | luajit -i <script name> <power pointfile>
 20 | 
 21 | Will Metcalf
 22 | Chris Wakelin
 23 | Francis Trudeau
 24 | --]]
 25 | susp_class = {
 26 |               {"\201\175\171\236\25\127\210\17\151\142\0\0\248\117\126\42","\110\219\124\210\109\174\207\17\150\184\68\69\83\84\0\0","\181\232\60\217\248\59\44\70\160\63\222\210\115\0\120\186",1,true,"CLSID"},
 27 |              }
 28 | 
 29 | require("zip")
 30 | 
 31 | function init (args)
 32 |     local needs = {}
 33 |     needs["http.response_body"] = tostring(true)
 34 |     return needs
 35 | end
 36 | 
 37 | 
 38 | --http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
 39 | function HexDumpString(str,spacer)
 40 |     return (
 41 |     string.gsub(str,"(.)",
 42 |     function (c)
 43 |         return string.format("%02X%s",string.byte(c), spacer or "\\")
 44 |     end)
 45 |     )
 46 | end
 47 | 
 48 | function match_strings(a,match_set,verbose)
 49 |     local rtn = 0
 50 |     local n,m
 51 |     local num_strings = #match_set - 3
 52 | 
 53 |     local match_num = match_set[num_strings+1]
 54 |     local plain = match_set[num_strings+2]
 55 |     local desc = match_set[num_strings+3]
 56 |     local cnt=0
 57 |     local fnd
 58 | 
 59 |    if verbose == 1 then print("Looking for " .. match_num .. " out of " .. num_strings .. " strings : " .. desc) end
 60 |     for n = 1, num_strings, 1 do
 61 |         m = match_set[n]
 62 |        if verbose == 1 then print("Looking for string " .. cnt .. " of " .. match_num .. " : " .. m) end
 63 |         fnd = string.find(a,m,1,plain)
 64 |         if fnd then
 65 |             cnt = cnt + 1
 66 |            if verbose == 1 then print("Found string " .. cnt .. " of " .. match_num .. " : " .. m) end
 67 |             if cnt == match_num then
 68 |                 if verbose == 1 then print("Found " .. desc) end
 69 |                 rtn = 1
 70 |                 break
 71 |             end
 72 |         end
 73 |     end
 74 |     
 75 |     return rtn
 76 | end
 77 | 
 78 | function find_clsid(u,filename,verbose)
 79 |     local rtn = 0
 80 |     for l,s in pairs(susp_class) do
 81 |         if (verbose==1) then print("Looking for " .. s[#s]) end
 82 |         if match_strings(u,s,verbose) == 1 then
 83 |             rtn = 1
 84 |             if (verbose == 0) then
 85 |                 break
 86 |             end
 87 |         end
 88 |     end
 89 |     if (verbose == 0) then
 90 |         if rtn == 1 then return 1 end
 91 |     end
 92 |     return rtn
 93 | end
 94 | 
 95 | function ppt_handler(t,verbose)
 96 |     rtn = 0
 97 |     tmpname = os.tmpname()
 98 |     
 99 |     tmp = io.open(tmpname,'w')
100 |     tmp:write(t)
101 |     tmp:close()
102 | 
103 |     z,err = zip.open(tmpname)
104 |     local buffers = {}
105 |     if z then
106 |         for w in z:files() do
107 |             if string.find(w.filename,"ppt/embeddings/oleObject",1,true) then
108 |                 f = z:open(w.filename);
109 |                 u = f:read("*all")
110 |                 f:close()
111 |                 if (verbose==1) then print("Checking " .. w.filename) end
112 |                     rtn2 = find_clsid(u,w.filename,verbose)
113 |                     if (verbose == 0) then
114 |                         if rtn2 == 1 then return 1 end
115 |                     end
116 |                     if rtn2 == 1 then rtn = rtn2 end
117 |                 end
118 |             end
119 |     end
120 |     if err then print(err) end
121 |     if z then z:close() end
122 |     os.remove(tmpname)
123 |     return rtn
124 | end
125 | 
126 | function common(t,o,verbose)
127 |     rtn = 0
128 |     if string.sub(t,1,4) == "PK\003\004" then
129 |         rtn = ppt_handler(t,verbose)
130 |     end
131 |     return rtn 
132 | end
133 | 
134 | function match(args)
135 |     local t = tostring(args["http.response_body"])
136 |     local o = args["offset"]
137 |     return common(t,o,0)
138 | end
139 | 
140 | function run()
141 |   local f = io.open(arg[1])
142 |   local t = f:read("*all")
143 |   f:close()
144 |   common(t,4,1)
145 | end
146 | 


--------------------------------------------------------------------------------
/CVE-2014-4114.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 |     This program is free software; you can redistribute it and/or modify
  3 |     it under the terms of the GNU General Public License as published by
  4 |     the Free Software Foundation; either version 2 of the License, or
  5 |     (at your option) any later version.
  6 | 
  7 |     This program is distributed in the hope that it will be useful,
  8 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
  9 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 10 |     GNU General Public License for more details.
 11 | 
 12 |     You should have received a copy of the GNU General Public License along
 13 |     with this program; if not, write to the Free Software Foundation, Inc.,
 14 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 15 | 
 16 | Detection for CVE-2012-3096 expects DOCX or TIFF
 17 | 
 18 | This lua script can be run standalone and verbosely on a Flash file with
 19 | echo "run()" | luajit -i <script name> <tiff file|docx file>
 20 | 
 21 | Will Metcalf
 22 | Chris Wakelin
 23 | --]]
 24 | susp_class = {
 25 |               {"\092\092[^%z]-\046[iI][Nn][Ff]%z",1,false,"UNC Path to INF file"},
 26 |               {"Software\092Microsoft\092Windows\092CurrentVersion\092Run","DefaultInstall","AddReg",3,true,"Embedded INF File"},
 27 |               {"\000MZ","This program cannot be run in DOS mode",2,true,"Embedded EXE"},
 28 |              }
 29 | 
 30 | require("zip")
 31 | 
 32 | function init (args)
 33 |     local needs = {}
 34 |     needs["http.response_body"] = tostring(true)
 35 |     return needs
 36 | end
 37 | 
 38 | 
 39 | --http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
 40 | function HexDumpString(str,spacer)
 41 |     return (
 42 |     string.gsub(str,"(.)",
 43 |     function (c)
 44 |         return string.format("%02X%s",string.byte(c), spacer or "\\")
 45 |     end)
 46 |     )
 47 | end
 48 | 
 49 | function match_strings(a,match_set,verbose)
 50 |     local rtn = 0
 51 |     local n,m
 52 |     local num_strings = #match_set - 3
 53 | 
 54 |     local match_num = match_set[num_strings+1]
 55 |     local plain = match_set[num_strings+2]
 56 |     local desc = match_set[num_strings+3]
 57 |     local cnt=0
 58 |     local fnd
 59 | 
 60 | --    if verbose == 1 then print("Looking for " .. match_num .. " out of " .. num_strings .. " strings : " .. desc) end
 61 |     for n = 1, num_strings, 1 do
 62 |         m = match_set[n]
 63 | --        if verbose == 1 then print("Looking for string " .. cnt .. " of " .. match_num .. " : " .. m) end
 64 |         fnd = string.find(a,m,1,plain)
 65 |         if fnd then
 66 |             cnt = cnt + 1
 67 | --            if verbose == 1 then print("Found string " .. cnt .. " of " .. match_num .. " : " .. m) end
 68 |             if cnt == match_num then
 69 |                 if verbose == 1 then print("Found " .. desc) end
 70 |                 rtn = 1
 71 |                 break
 72 |             end
 73 |         end
 74 |     end
 75 |     return rtn
 76 | end
 77 | 
 78 | function find_ole_with_inf_smb(u,filename,verbose)
 79 |     local rtn = 0
 80 |     for l,s in pairs(susp_class) do
 81 |         if (verbose==1) then print("Looking for " .. s[#s]) end
 82 |         if match_strings(u,s,verbose) == 1 then
 83 |             rtn = 1
 84 |             if (verbose == 0) then
 85 |                 break
 86 |             end
 87 |         end
 88 |     end
 89 |     if (verbose == 0) then
 90 |         if rtn == 1 then return 1 end
 91 |     end
 92 |     return rtn
 93 | end
 94 | 
 95 | function ppt_handler(t,verbose)
 96 |     rtn = 0
 97 |     tmpname = os.tmpname()
 98 |     
 99 |     tmp = io.open(tmpname,'w')
100 |     tmp:write(t)
101 |     tmp:close()
102 | 
103 |     z,err = zip.open(tmpname)
104 |     local buffers = {}
105 |     if z then
106 |         for w in z:files() do
107 |             if string.find(w.filename,"ppt/embeddings/oleObject",1,true) then
108 |                 f = z:open(w.filename);
109 |                 u = f:read("*all")
110 |                 f:close()
111 |                 if (verbose==1) then print("Checking " .. w.filename) end
112 |                     rtn2 = find_ole_with_inf_smb(u,w.filename,verbose)
113 |                     if (verbose == 0) then
114 |                         if rtn2 == 1 then return 1 end
115 |                     end
116 |                     if rtn2 == 1 then rtn = rtn2 end
117 |                 end
118 |             end
119 |     end
120 |     if err then print(err) end
121 |     if z then z:close() end
122 |     os.remove(tmpname)
123 |     return rtn
124 | end
125 | 
126 | function common(t,o,verbose)
127 |     rtn = 0
128 |     if string.sub(t,1,4) == "PK\003\004" then
129 |         rtn = ppt_handler(t,verbose)
130 |     end
131 |     return rtn 
132 | end
133 | 
134 | function match(args)
135 |     local t = tostring(args["http.response_body"])
136 |     local o = args["offset"]
137 |     return common(t,o,0)
138 | end
139 | 
140 | function run()
141 |   local f = io.open(arg[1])
142 |   local t = f:read("*all")
143 |   f:close()
144 |   common(t,4,1)
145 | end
146 | 


--------------------------------------------------------------------------------
/suri-suspicious-pack200jar.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 | #*************************************************************
  3 | #  Copyright (c) 2003-2013, Emerging Threats
  4 | #  All rights reserved.
  5 | #  
  6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
  7 | #  following conditions are met:
  8 | #  
  9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 10 | #    disclaimer.
 11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
 12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
 13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
 14 | #    from this software without specific prior written permission.
 15 | #  
 16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 23 | #
 24 | #*************************************************************
 25 | 
 26 | Detection for suspicious pack200/gzip Java files
 27 | Requires the lua zlib module https://github.com/brimworks/lua-zlib
 28 | 
 29 | This lua script can be run standalone and verbosely on a pack200/gzip file with
 30 | echo "run()" | lua -i <script name> <pack200/gzip file>
 31 | 
 32 | Chris Wakelin
 33 | Will Metcalf
 34 | --]]
 35 | 
 36 | local lz = require("zlib")
 37 | 
 38 | -- {strings to match, number of matching strings needed, simple strings, description}
 39 | susp_class = {
 40 |               {"yv66v",1,true,"Base-64-encoded class file",0},
 41 |               {"CAFEBABE",1,true,"Hex-encoded class file",0},
 42 |               {"[Cc].?.?.?[Aa].?.?.?[Ff].?.?.?[Ee].?.?.?[Bb].?.?.?[Aa].?.?.?[Bb].?.?.?[Ee]",1,false,"Hex-encoded class file (possibly obfuscated)",0},
 43 |               {"etSecurityManager",1,true,"[gs]etSecurityManager www.fireeye.com/blog/technical/2013/06/get-set-null-java-security.html",0},
 44 |               {"reganaMytiruceS",1,true,"SecurityManger reversed PrivatePack June 27 2013",0},
 45 |               {"isableSecurity",1,true,"Generic [Dd]isableSecurity (Observed in Styx)",0},
 46 |               {"image","Raster","SampleModel",3,true,"Classes used in awt exploits",0},
 47 |               {"image","SinglePixelPacked",2,true,"CVE-2013-2471",0},
 48 |               {"image","MultiPixelPacked",2,true,"CVE-2013-2465/2463",0},
 49 |               {"javafx","application","Preloader","Stage","Application",5,true,"Java7u21 Click2play Bypass http://seclists.org/bugtraq/2013/Jul/41 ???",0} 
 50 |              }
 51 | 
 52 | function init (args)
 53 |     local needs = {}
 54 |     needs["http.response_body"] = tostring(true)
 55 |     return needs
 56 | end
 57 | 
 58 | function match_strings(a,match_set,verbose)
 59 |     local rtn = 0
 60 |     local n,m
 61 |     local num_strings = #match_set - 4 
 62 |     
 63 |     local match_num = match_set[num_strings+1]
 64 |     local plain = match_set[num_strings+2]
 65 |     local desc = match_set[num_strings+3]
 66 |     local fnd
 67 |     
 68 |     for n = 1, num_strings, 1 do
 69 |         m = match_set[n]
 70 |         if m ~= 0 then
 71 |             fnd = string.find(a,m,1,plain)
 72 |             if fnd then
 73 |                 match_set[num_strings+4] = match_set[num_strings+4] + 1
 74 |                 if verbose == 1 then print("Found String " .. m .. " " .. match_set[num_strings+4] .. " of " .. match_num) end
 75 |                 --match_set[num_strings+4] is our counter
 76 |                 if match_set[num_strings+4] == match_num then
 77 |                     if verbose == 1 then print("Found " .. desc) end
 78 |                     match_set[n] = 0
 79 |                     rtn = 1
 80 |                     break
 81 |                 else
 82 |                     --Found lets zero it out so we don't check again
 83 |                     match_set[n] = 0
 84 |                 end
 85 |            end
 86 |         end
 87 |     end
 88 |     return rtn
 89 | end
 90 | 
 91 | function common(t,verbose)
 92 | 
 93 |     rtn = 0
 94 | 
 95 |     stream = lz.inflate()
 96 |     u, eof, bytes_in, uncompressed_len = stream(t)
 97 | 
 98 |     if string.sub(u,1,4) == "\202\254\208\013"  then -- CAFED00D in decimal
 99 |         if (verbose==1) then print("Found pack200-ed file") end
100 |         for l,s in pairs(susp_class) do
101 |             if (verbose==1) then print("Looking for " .. s[#s-1] .. " in uncompressed stream") end
102 |             if match_strings(u,s,verbose) == 1 then
103 |                 rtn = 1
104 |                 if (verbose == 0) then
105 |                    break
106 |                 end
107 |             end
108 |         end
109 |     end
110 |     return rtn
111 | end
112 | 
113 | -- return match via table
114 | function match(args)
115 |     local t = tostring(args["http.response_body"])
116 |     return common(t,0)
117 | end
118 | 
119 | function run()
120 |   local f = io.open(arg[1])
121 |   local t = f:read("*all")
122 |   f:close()
123 |   if common(t,1) == 1 then print("Found Suspicious String in " .. arg[1]) end
124 | end
125 | 
126 | 


--------------------------------------------------------------------------------
/CVE-2013-0074.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 | #*************************************************************
  3 | #  Copyright (c) 2003-2013, Emerging Threats
  4 | #  All rights reserved.
  5 | #  
  6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
  7 | #  following conditions are met:
  8 | #  
  9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 10 | #    disclaimer.
 11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
 12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
 13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
 14 | #    from this software without specific prior written permission.
 15 | #  
 16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 23 | #
 24 | #*************************************************************
 25 | 
 26 | Detection for suspicious Silverlight files requires lua zip module.
 27 | sudo apt-get install liblua5.1-zip-dev 
 28 | 
 29 | This lua script can be run standalone and verbosely on a Silverlight file with
 30 | echo "run()" | lua -i <script name> <Silverlight Package>
 31 | 
 32 | Chris Wakelin
 33 | Will Metcalf
 34 | --]]
 35 | 
 36 | require("zip")
 37 | -- {strings to match, number of matching strings needed, simple strings, description}
 38 | susp_class = {
 39 |               {"WriteableBitmap","get_PixelWidth","get_PixelHeight","SetSource","\137\080\078\071\013\010\026\010\000\000\000\013\073\072\068\082\000\000\000\008\000\000\000\004\008\003\000\000\000\132\019\142\194",5,true,"CVE-2013-0074 VariousEK's",0},
 40 |               {"F:\\EXP\\",".pdb",2,true,"CVE-2013-0074 Nuclear",0},
 41 |               {"d%z?r%z?o%z?p%z?B%z?o%z?m%z?b","W%z?S%z?c%z?r%z?i%z?p%z?t%z?%.%z?S%z?h%z?e%z?l%z?l",1,false,"CVE-2013-0074 Unknown 18cbe962a6d290543d47a51a0837d7bb",0},
 42 |               {"XPerTu x64 productions 2009","Object","System.Windows.Browser","AesManaged",4,true,"CVE-2013-0074 AnglerEK",0},
 43 |               {"\009\032\069\071\071\033\158",1,true,"Magnitude EK",0},
 44 |               {"GetChars","GetDecoder","GetCharCount","ExecPayload","Shell32","Shell64","Assembly","System.Text",8,true,"CVE-2016-0034",0}
 45 |              }
 46 | 
 47 | obfus_strings = {
 48 | }
 49 | function init (args)
 50 |     local needs = {}
 51 |     needs["http.response_body"] = tostring(true)
 52 |     return needs
 53 | end
 54 | 
 55 | function match_strings(a,match_set,verbose)
 56 |     local rtn = 0
 57 |     local n,m
 58 |     local num_strings = #match_set - 4 
 59 |     
 60 |     local match_num = match_set[num_strings+1]
 61 |     local plain = match_set[num_strings+2]
 62 |     local desc = match_set[num_strings+3]
 63 |     local fnd
 64 |     
 65 |     for n = 1, num_strings, 1 do
 66 |         m = match_set[n]
 67 |         if m ~= 0 then
 68 |             fnd = string.find(a,m,1,plain)
 69 |             if fnd then
 70 |                 match_set[num_strings+4] = match_set[num_strings+4] + 1
 71 |                 if verbose == 1 then print("Found String " .. m .. " " .. match_set[num_strings+4] .. " of " .. match_num) end
 72 |                 --match_set[num_strings+4] is our counter
 73 |                 if match_set[num_strings+4] == match_num then
 74 |                     if verbose == 1 then print("Found " .. desc) end
 75 |                     match_set[n] = 0
 76 |                     rtn = 1
 77 |                     break
 78 |                 else
 79 |                     --Found lets zero it out so we don't check again
 80 |                     match_set[n] = 0
 81 |                 end
 82 |            end
 83 |         end
 84 |     end
 85 |     return rtn
 86 | end
 87 | 
 88 | function common(t,verbose)
 89 | 
 90 |     rtn = 0
 91 | 
 92 |     -- tmpfs setup should be faster
 93 |     -- mkdir -p /home/suricata/scratch  && sudo mount -t tmpfs -o size=1G,mode=0700 tmpfs /home/suricata/scratch && sudo chown suricata:suricata /home/suricata/scratch/
 94 |     -- tmpname = "/home/suricata/scratch/eviljars." .. tostring(os.time()) .. "." .. tostring(math.random(2000000,9000000))
 95 |     tmpname = os.tmpname()
 96 | 
 97 |     tmp = io.open(tmpname,'w')
 98 |     tmp:write(t)
 99 |     tmp:close()
100 | 
101 |     z = zip.open(tmpname)
102 | 
103 |     if z then 
104 |         for w in z:files() do
105 |             f = z:open(w.filename);
106 |             u = f:read("*all")
107 |             f:close()
108 |             if (verbose==1) then print("Checking " .. w.filename) end
109 |             if (string.sub(u,1,2) == "MZ") then
110 |                 for l,s in pairs(susp_class) do
111 |                     if (verbose==1) then print("Looking for " .. s[#s-1] .. " in ".. w.filename) end
112 |                     if match_strings(u,s,verbose) == 1 then
113 |                         rtn = 1
114 |                         if (verbose == 0) then
115 |                            break
116 |                         end
117 |                     end
118 |                 end
119 |             end
120 |     end
121 |     z:close()
122 |     end
123 |     os.remove(tmpname)
124 |     return rtn
125 | end
126 | 
127 | -- return match via table
128 | function match(args)
129 |     local t = tostring(args["http.response_body"])
130 |     return common(t,0)
131 | end
132 | 
133 | function run()
134 |   local f = io.open(arg[1])
135 |   local t = f:read("*all")
136 |   f:close()
137 |   if common(t,1) == 1 then print("Found Suspicious String in " .. arg[1]) end
138 | end
139 | 
140 | 


--------------------------------------------------------------------------------
/CVE-2012-1535.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 |     This program is free software; you can redistribute it and/or modify
  3 |     it under the terms of the GNU General Public License as published by
  4 |     the Free Software Foundation; either version 2 of the License, or
  5 |     (at your option) any later version.
  6 | 
  7 |     This program is distributed in the hope that it will be useful,
  8 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
  9 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 10 |     GNU General Public License for more details.
 11 | 
 12 |     You should have received a copy of the GNU General Public License along
 13 |     with this program; if not, write to the Free Software Foundation, Inc.,
 14 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 15 | 
 16 | 
 17 |     ###Parsing bit is Based on swf.py from Jsunpack which is GPLv2 so we use that as well
 18 |     https://code.google.com/p/jsunpack-n/source/browse/trunk/swf.py
 19 | 
 20 |     ####Example prefilter rules. Worked with Contagio .doc samples but had to set libhtp to insane settings below. Ideally we should be able to at least set flow int's from lua so we can create streaming parsers.
 21 | 
 22 |      response-body-minimal-inspect-size: 65kb
 23 |      response-body-inspect-window: 65kb
 24 | 
 25 | 
 26 |     #New rules
 27 |     alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) "; flow:from_server,established; file_data; content:"FWS"; depth:3; luajit:CVE-2012-1535.lua; content:"kern"; fast_pattern:only; classtype:trojan-activity; sid:7016688; rev:4;)
 28 |     alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Compressed)"; flow:from_server,established; file_data; content:"CWS"; depth:3; luajit:CVE-2012-1535.lua; classtype:trojan-activity; sid:7016687; rev:4;)
 29 |     alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) "; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"kern"; fast_pattern:only;  content:"FWS"; luajit:CVE-2012-1535.lua; classtype:trojan-activity; sid:6688; rev:4;)
 30 |     alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Compressed)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"CWS"; luajit:CVE-2012-1535.lua; classtype:trojan-activity; sid:6687; rev:4;)
 31 | 
 32 |     #Existing rules
 33 |     alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; content:"|d0 cf 11 e0 a1 b1 1a e1|"; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:6;)
 34 | 
 35 |     ###Requirements
 36 |     
 37 |     #struct module
 38 |     sudo luarocks install struct
 39 | 
 40 |     #lua-zlib
 41 |     https://github.com/brimworks/lua-zlib
 42 |    
 43 |     ###Technical Description of the Vuln
 44 |     http://www.exploit-db.com/wp-content/themes/exploit/docs/21928.pdf
 45 | --]]
 46 | 
 47 | -- CVE-2012-1535 --
 48 | local lz = require 'zlib'
 49 | local s = require 'struct'
 50 | local bit = require("bit")
 51 | 
 52 | function init (args)
 53 |     local needs = {}
 54 |     needs["http.response_body"] = tostring(true)
 55 |     return needs
 56 | end
 57 | 
 58 | function match(args)
 59 |     local t = tostring(args["http.response_body"])
 60 | 
 61 |     -- CWS and FWS are both 3 bytes long
 62 |     -- Method should work for Flash inside of OLE etc.
 63 |     local o = args["offset"]
 64 |     t = string.sub(t,o - 3) 
 65 |     local tlen = string.len(t)
 66 | 
 67 |     --Parse the SWF Header
 68 |     local sig = string.sub(t,1, 3)
 69 |     local ver = string.byte(t,4)
 70 |     local len = s.unpack("<I4",string.sub(t,5,8))
 71 | 
 72 |     --subtract sig,ver,len
 73 |     local parsed_len = (len - 8)
 74 | 
 75 |     -- store uncompressed length
 76 |     local uncompressed_len = 0
 77 | 
 78 |     if sig  == "CWS" then 
 79 |         stream = lz.inflate()
 80 |         t, eof, bytes_in, uncompressed_len = stream(string.sub(t,9))
 81 |         if string.find(t,"kern",9,true) == nil then
 82 |             return 0
 83 |         end
 84 |     elseif sig ~= "FWS" then
 85 |         print("Not a SWF file bailing" .. sig)
 86 |         return 0
 87 |     end
 88 | 
 89 |     local offset = 9 
 90 |     --get number of bits in the rect
 91 |     local rectbits = bit.rshift(string.byte(t,9),3)
 92 | 
 93 |     if ((rectbits * 4) % 8) == 0 then
 94 |         more = rectbits * 4 / 8
 95 |     else
 96 |         more = math.floor(rectbits * 4 / 8) + 1
 97 |     end
 98 | 
 99 |     offset = offset + more + 1
100 |     offset = offset + 4 
101 | 
102 |     --iterate over the tags---
103 |     while offset + 1 < len do
104 |         b = string.byte(t,offset)
105 |         a = string.byte(t,offset + 1)
106 | 
107 |         -- Out of bytes
108 |         if a == nil or b == nil then 
109 |            --print("out of bytes " .. a,b)
110 |            return 0
111 |         end
112 | 
113 |         -- get tag bits --
114 |         offset = offset + 2
115 |         tagtype = bit.band(((bit.lshift(a,2)) + (bit.rshift(b,6))),0x03ff)
116 |         shortlen = bit.band(b,0x3f)
117 | 
118 |         -- is this a long tag format?
119 |         if shortlen == 0x3f then
120 |             shortlen = s.unpack("<I4",string.sub(t,offset,offset+4))
121 |             offset = offset + 4
122 |         end
123 | 
124 |         if tagtype == 91 then
125 |             ttfoffset = offset + 3
126 |             -- Find the end of the font name
127 |             ttfoffset = string.find(t,'\000',ttfoffset,true) + 1
128 |             --print(ttfoffset)            
129 |             ttf = string.sub(t,ttfoffset, ttfoffset + shortlen)
130 |             ktag = string.find(ttf,'kern',12,true)
131 |             if ktag ~= nil then
132 |                 -- Inside TTF we are big endian
133 |                 ktoffset = s.unpack(">I4",string.sub(ttf,ktag + 8, ktag + 11))
134 |                 --print(ktoffset .. " " .. shortlen)
135 |                 --make sure this is the type we are looking for
136 |                 if string.sub(ttf,ktoffset + 1, ktoffset + 4) == "\000\001\000\000" then
137 |                     --print("made it this far")
138 |                     ntables = s.unpack(">I4",(string.sub(ttf,ktoffset + 5, ktoffset + 8)))
139 |                     ntables_bad = s.unpack(">I4","\016\000\000\000") 
140 |                     if ntables >= ntables_bad then
141 |                         --print("we have a match " .. ntables)
142 |                         return 1
143 |                     end 
144 |                 end
145 |             end
146 |         end
147 |         offset = offset + shortlen  
148 |     end
149 |     return 0
150 | end
151 | 


--------------------------------------------------------------------------------
/suri-suspicious-jar.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 | #*************************************************************
  3 | #  Copyright (c) 2003-2012, Emerging Threats
  4 | #  All rights reserved.
  5 | #  
  6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
  7 | #  following conditions are met:
  8 | #  
  9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 10 | #    disclaimer.
 11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
 12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
 13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
 14 | #    from this software without specific prior written permission.
 15 | #  
 16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 23 | #
 24 | #*************************************************************
 25 | 
 26 | Detection for suspicious Jar files requires lua zip module.
 27 | sudo apt-get install liblua5.1-zip-dev 
 28 | 
 29 | Chris Wakelin
 30 | Will Metcalf
 31 | --]]
 32 | 
 33 | require("zip")
 34 | 
 35 | function init (args)
 36 |     local needs = {}
 37 |     needs["http.response_body"] = tostring(true)
 38 |     return needs
 39 | end
 40 | 
 41 | function find_set_match_multi_file(input_s,g_match_set,g_match_cnt,return_on_single)
 42 |     local rtn = 0
 43 |     for n,m in pairs(g_match_set) do
 44 |         --for i,v in ipairs(g_match_set) do print(i,v) end
 45 |         -- Do a non-regex match "plain" match for our strings
 46 |         if m ~= 0 then
 47 |             local fnd = string.find(input_s,m,1,true)
 48 |             if fnd then
 49 |                 if return_on_single then
 50 |                     rtn = 1
 51 |                     --print("This is my BOOM stick " .. m)
 52 |                     break
 53 |                 else
 54 |                     --print("found " .. m .. n)
 55 |                     g_match_cnt[1] = g_match_cnt[1] + 1
 56 |                     g_match_set[n]=0
 57 |                     --print(g_match_cnt[1])
 58 |                     --If we have match_cnt == number of input strings everything matched
 59 |                     if g_match_cnt[1] == #g_match_set then
 60 |                         --print("Then it came after me, it got into my hand and it went bad, so I lopped it off at the wrist.")
 61 |                         rtn = 1
 62 |                         break
 63 |                     end
 64 |                 end
 65 |             end
 66 |         end
 67 |     end
 68 |     return rtn
 69 | end
 70 | 
 71 | function match(args)
 72 |     local t = tostring(args["http.response_body"])
 73 |     local rtn = 0
 74 | 
 75 |     --Need tables for the match_cnt as well so they are passed as reference. Ya these can probably all live a a strings table but I'm still a lua newb. 
 76 |     -- CVE-2012-4681 Metasploit and others
 77 |     s2f1 = {'SunToolkit', 'getField','forName','setSecurityManager','execute'}
 78 |     s2f1_mcnt = {0}
 79 | 
 80 |     -- BH CVE-2012-0507 Metasploit and Others
 81 |      s2f2 = {'AtomicReferenceArray','ProtectionDomain','AllPermission','defineClass','newInstance'}
 82 |      s2f2_mcnt = {0}
 83 | 
 84 |     -- Metasploit and Others CVE-2012-5076
 85 |     s2f3 = {'glassfish/gmbal','GenericConstructor','ManagedObjectManagerFactory','/reflect'}
 86 |     s2f3_mcnt = {0}
 87 | 
 88 |     -- If any of these match assume it's evil and return
 89 |     -- Blackhole URL obfuscation string EpgKF3twh
 90 |     -- Zelix obfuscator version string as used in Blackhole ZKM5.4.3
 91 |     -- g01pack URL obfuscation string "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#;"
 92 |     -- Nuclear URL obfuscation string "DEvuYp"
 93 |     -- Base64-encoded class file "yv66v"
 94 |     -- GlassFish classes used in CVE-2012-5076 exploit "glassfish/gmbal"
 95 |     s_one_and_done={'EpgKF3twh','ZKM5.4.3','f428e4e8','0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#;','DEvuYp','yv66v'} 
 96 |     s_one_and_done_cnt = {0}
 97 | 
 98 |     -- Store our jar to the fs should probably use tmpfs or something
 99 |     --Should work for all systems
100 |     local tmpname = os.tmpname()
101 | 
102 |     -- tmpfs setup should be faster
103 |     -- mkdir -p /home/suricata/scratch  && sudo mount -t tmpfs -o size=1G,mode=0700 tmpfs /home/suricata/scratch && sudo chown suricata:suricata /home/suricata/scratch/
104 |     --local tmpname = "/home/suricata/scratch/eviljars." .. tostring(os.time()) .. "." .. tostring(math.random(2000000,9000000))
105 |     local tmp = io.open(tmpname,'w')
106 |     tmp:write(t)
107 |     tmp:close()
108 |     
109 |     --Open our jar file
110 |     local z = zip.open(tmpname)
111 | 
112 |     --Open each file in the zip and inspect it 
113 |     if z then 
114 |         for w in z:files() do
115 |             local f = z:open(w.filename);
116 |             local t = f:read("*all")
117 |             f:close()
118 |             --print("working with " .. w.filename)            
119 |             -- Is this a class file? If not we don't want to inspect more
120 |             if string.sub(t,1,4) == "\202\254\186\190" then
121 |                 -- Find our Evil strings
122 |                 if find_set_match_multi_file(t,s_one_and_done,s_one_and_done_cnt,true) == 1 then
123 |                     rtn = 1
124 |                     break
125 |                 elseif find_set_match_multi_file(t,s2f2,s2f2_mcnt) == 1 then
126 |                     --print("CVE-2012-0507")
127 |                     rtn = 1
128 |                     break
129 |                 elseif find_set_match_multi_file(t,s2f1,s2f1_mcnt) == 1 then
130 |                     --print("CVE-2012-4681")
131 |                     rtn = 1
132 |                     break
133 |                 elseif find_set_match_multi_file(t,s2f3,s2f3_mcnt) == 1 then
134 |                     --print("CVE-2012-5076")
135 |                     rtn = 1
136 |                     break
137 |                 end
138 |             end
139 |         end
140 |     -- Close out our zip
141 |     z:close()
142 |     end
143 |     -- Remove the tmpfile
144 |     os.remove(tmpname)
145 |     return rtn
146 | end
147 | 


--------------------------------------------------------------------------------
/suri-xor-binary-detect.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 | #*************************************************************
  3 | #  Copyright (c) 2003-2012, Emerging Threats
  4 | #  All rights reserved.
  5 | #  
  6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
  7 | #  following conditions are met:
  8 | #  
  9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 10 | #    disclaimer.
 11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
 12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
 13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
 14 | #    from this software without specific prior written permission.
 15 | #  
 16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 23 | #
 24 | #*************************************************************
 25 | --]]
 26 | 
 27 | function init (args)
 28 |     local needs = {}
 29 |     needs["http.response_body"] = tostring(true)
 30 |     return needs
 31 | end
 32 | 
 33 | 
 34 | -- return match via table
 35 | function match(args)
 36 |     local result = {}
 37 |     local bit = require("bit")
 38 | 
 39 |     -- "This program cannot be run in DOS mode."
 40 |     --  could match (4 byte key) "K'$#x=,=x.?<q3*q35km(4?$$q"
 41 | 
 42 |     -- "This program must be run in Win32"
 43 |     --  could match (4 byte key) "K'$#x=,=x +!kr()km(4?8$5z8q"
 44 | 
 45 |     -- "This program " (match strings for 4 byte and 6 byte keys)
 46 |     local tp4_string,tp6_string = "K'$#x=,=x","Ihan.r="
 47 | 
 48 |     local p = "This p"
 49 | 
 50 |     local search_start,search_stop = 70,100
 51 |     -- Probably 79,104 for string "This program ... DOS mode."
 52 |     -- Probably 81,107 for string "This program ... win32"
 53 |     -- Only looking for "This program "
 54 | 
 55 |     a = tostring(args["http.response_body"])
 56 |     b4,b6 = "",""
 57 |     key = {}
 58 | 
 59 |     if #a < 1024 then 
 60 |         return 0
 61 |     end
 62 | 
 63 |     for i = search_start,search_stop,1 do
 64 |         b4 = b4 .. string.char(bit.bxor(a:byte(i),a:byte(i+4),0x3f))
 65 |         b6 = b6 .. string.char(bit.bxor(a:byte(i),a:byte(i+6),0x6f))
 66 |     end
 67 | 
 68 |     -- Look for matched XORed string, 4-byte key first
 69 |     -- If found, see if we started "MZ" at byte 1
 70 |     -- If MZ not found, identify PE header offset and look for PE|00|
 71 |     -- also check the same for extra byte 0 (g01pack)
 72 |     -- If not found, repeat for 6-byte key (except g01pack which is 1-byte key anyway)
 73 |     
 74 |     f = string.find(b4,tp4_string,1,true)
 75 |     if f ~= nil then
 76 |         do 
 77 |             offset = (search_start + f - 2) % 4
 78 |             for i = offset, offset + 3, 1 do
 79 |                 key[(i%4)+1] = bit.bxor(a:byte(search_start+f-1+(i%4)),p:byte((i%4)+1))
 80 |             end
 81 | 
 82 |             if (bit.bxor(a:byte(1),key[offset+1]) == string.byte('M')) and 
 83 |                (bit.bxor(a:byte(2),key[((offset+1)%4)+1]) == string.byte('Z')) then 
 84 |                 return 1
 85 |             end
 86 | 
 87 |             if (bit.bxor(a:byte(2),key[((offset+1)%4)+1]) == string.byte('M')) and 
 88 |                (bit.bxor(a:byte(3),key[((offset+2)%4)+1]) == string.byte('Z')) then 
 89 |                 return 1
 90 |             end
 91 | 
 92 |             pe = bit.bxor(a:byte(0x3c+1), key[((0x3c+offset)%4)+1])+(256*bit.bxor(a:byte(0x3c+2), key[((0x3c+offset+1)%4)+1]))
 93 |             if (pe < 1024) then
 94 |                 do
 95 |                     if (bit.bxor(a:byte(pe+1), key[((pe+offset)%4)+1]) == string.byte('P')) and
 96 |                        (bit.bxor(a:byte(pe+2), key[((pe+offset+1)%4)+1]) == string.byte('E')) and
 97 |                        (bit.bxor(a:byte(pe+3), key[((pe+offset+2)%4)+1]) == 0) and
 98 |                        (bit.bxor(a:byte(pe+4), key[((pe+offset+3)%4)+1]) == 0) then
 99 |                         return 1
100 |                     end
101 |                 end
102 |             end
103 | 
104 |             pe = bit.bxor(a:byte(0x3c+2), key[((0x3c+offset+1)%4)+1])+(256*bit.bxor(a:byte(0x3c+3), key[((0x3c+offset+2)%4)+1]))
105 |             if (pe < 1024) then
106 |                 do
107 |                     if (bit.bxor(a:byte(pe+2), key[((pe+offset+1)%4)+1]) == string.byte('P')) and
108 |                        (bit.bxor(a:byte(pe+3), key[((pe+offset+2)%4)+1]) == string.byte('E')) and
109 |                        (bit.bxor(a:byte(pe+4), key[((pe+offset+3)%4)+1]) == 0) and
110 |                        (bit.bxor(a:byte(pe+5), key[((pe+offset+4)%4)+1]) == 0) then
111 |                         return 1
112 |                     end
113 |                 end
114 |             end
115 | 
116 |         end
117 |     end
118 | 
119 |     f = string.find(b6,tp6_string,1,true)
120 |     if f ~= nil then
121 |         do
122 |             offset = (search_start + f - 2) % 6
123 |             for i = offset, offset + 5, 1 do
124 |                 key[(i%6)+1] = bit.bxor(a:byte(search_start+f-1+(i%6)),p:byte((i%6)+1))
125 |             end
126 | 
127 |             if (bit.bxor(a:byte(1),key[offset+1]) == string.byte('M')) and 
128 |                (bit.bxor(a:byte(2),key[((offset+1)%6)+1]) == string.byte('Z')) then 
129 |                 return 1
130 |             end
131 | 
132 |             pe = bit.bxor(a:byte(0x3c+1), key[((0x3c+offset)%6)+1])+(256*bit.bxor(a:byte(0x3c+2), key[((0x3c+offset+1)%6)+1]))
133 |             if (pe < 1024) then
134 |                 do
135 |                     if (bit.bxor(a:byte(pe+1), key[((pe+offset)%6)+1]) == string.byte('P')) and
136 |                        (bit.bxor(a:byte(pe+2), key[((pe+offset+1)%6)+1]) == string.byte('E')) and
137 |                        (bit.bxor(a:byte(pe+3), key[((pe+offset+2)%6)+1]) == 0) and
138 |                        (bit.bxor(a:byte(pe+4), key[((pe+offset+3)%6)+1]) == 0) then
139 |                         return 1
140 |                     end
141 |                 end
142 |             end
143 | 
144 |         end
145 |     end 
146 | 
147 | -- Long shot; usually bytes 0x30 to 0x3b are 0-padding,
148 | -- so may actually contain the Key; decode PE offset and check
149 | -- it points to bytes that then decode to PE|00 00|
150 | 
151 |     for i = 0, 5, 1 do
152 |       key[i+1] = a:byte(0x30+i+1)
153 |     end
154 |     pe = bit.bxor(a:byte(0x3c+1), key[1]) + (256*bit.bxor(a:byte(0x3c+2), key[2]))
155 |     if (pe < 1024) then
156 |         do
157 |             offset = pe % 4
158 |             if (bit.bxor(a:byte(pe+1), key[offset+1]) == string.byte('P')) and 
159 |                (bit.bxor(a:byte(pe+2), key[((1+offset)%4)+1]) == string.byte('E')) and
160 |                (bit.bxor(a:byte(pe+3), key[((2+offset)%4)+1]) == 0) and
161 |                (bit.bxor(a:byte(pe+4), key[((3+offset)%4)+1]) == 0) then
162 |                 return 1
163 |             end
164 |             offset = pe % 6
165 |             if (bit.bxor(a:byte(pe+1), key[offset+1]) == string.byte('P')) and 
166 |                (bit.bxor(a:byte(pe+2), key[((1+offset)%6)+1]) == string.byte('E')) and
167 |                (bit.bxor(a:byte(pe+3), key[((2+offset)%6)+1]) == 0) and
168 |                (bit.bxor(a:byte(pe+4), key[((3+offset)%6)+1]) == 0) then
169 |                 return 1
170 |             end
171 |         end
172 |     end
173 | 
174 |     return 0
175 | end
176 | 
177 | return 0
178 | 


--------------------------------------------------------------------------------
/suri-suspicious-vbe.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 | #*************************************************************
  3 | #  Copyright (c) 2003-2015, Emerging Threats
  4 | #  All rights reserved.
  5 | #  
  6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
  7 | #  following conditions are met:
  8 | #  
  9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 10 | #    disclaimer.
 11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
 12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
 13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
 14 | #    from this software without specific prior written permission.
 15 | #  
 16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 23 | #
 24 | #*************************************************************
 25 | 
 26 | This lua script can be run standalone and verbosely on a vbe file with
 27 | echo "run()" | lua -i <script name> <vbe file>
 28 | 
 29 | VBE decoding based on tool written in Pascal in http://seclists.org/fulldisclosure/2003/Sep/734 :-
 30 |   program vbs_dec;  { Decrypts encrypted VBScript and JScript programs }
 31 |   { Copyright (c) 09/2003 Andreas Marx / http://www.av-test.org }
 32 | 
 33 | Chris Wakelin
 34 | Will Metcalf
 35 | --]]
 36 | 
 37 | --local lz = require("zlib")
 38 | local bit = require("bit")
 39 | 
 40 | -- {strings to match, number of matching strings needed, simple strings, description}
 41 | susp_class = {
 42 |               {"http://",1,true,"Embedded URL",0},
 43 |               {"[Rr][Ee][Aa][Dd][Mm][Ee][Mm][Oo]]",1,false,"Readmemory function",0},
 44 |               {"powershell",1,true,"Powershell call",0},
 45 |               {"[Ss][Hh][Ee][Ll][Ll][Ee][Xx][Ee][Cc]",1,false,"ShellExecute call",0},
 46 |               {"[Ww][Ss][Cc][Rr][Ii][Pp][Tt]%.[Ss][Hh][Ee][Ll][Ll]",1,false,"WScript.Shell call",0},
 47 |              }
 48 | 
 49 | function init (args)
 50 |     local needs = {}
 51 |     needs["http.response_body"] = tostring(true)
 52 |     return needs
 53 | end
 54 | 
 55 | function match_strings(a,match_set,verbose)
 56 |     local rtn = 0
 57 |     local n,m
 58 |     local num_strings = #match_set - 4 
 59 |     
 60 |     local match_num = match_set[num_strings+1]
 61 |     local plain = match_set[num_strings+2]
 62 |     local desc = match_set[num_strings+3]
 63 |     local fnd
 64 |     
 65 |     for n = 1, num_strings, 1 do
 66 |         m = match_set[n]
 67 |         if m ~= 0 then
 68 |             fnd = string.find(a,m,1,plain)
 69 |             if fnd then
 70 |                 match_set[num_strings+4] = match_set[num_strings+4] + 1
 71 |                 if verbose == 1 then print("Found String " .. m .. " " .. match_set[num_strings+4] .. " of " .. match_num) end
 72 |                 --match_set[num_strings+4] is our counter
 73 |                 if match_set[num_strings+4] == match_num then
 74 |                     if verbose == 1 then print("Found " .. desc) end
 75 |                     match_set[n] = 0
 76 |                     rtn = 1
 77 |                     break
 78 |                 else
 79 |                     --Found lets zero it out so we don't check again
 80 |                     match_set[n] = 0
 81 |                 end
 82 |            end
 83 |         end
 84 |     end
 85 |     return rtn
 86 | end
 87 | 
 88 | function common(t,verbose)
 89 | 
 90 |     rtn = 0
 91 |  
 92 |     u = deobfuscate(decode_vbe(t),verbose)
 93 | 
 94 |     if #u > 0 then
 95 |         if (verbose==1) then print("Found encoded VBE section(s)") end
 96 |         for l,s in pairs(susp_class) do
 97 |             if (verbose==1) then print("Looking for " .. s[#s-1] .. " in decoded sections") end
 98 |             if match_strings(u,s,verbose) == 1 then
 99 |                 rtn = 1
100 |                 if (verbose == 0) then
101 |                    break
102 |                 end
103 |             end
104 |         end
105 |     end
106 |     return rtn
107 | end
108 | 
109 | -- return match via table
110 | function match(args)
111 |     local t = tostring(args["http.response_body"])
112 |     return common(t,0)
113 | end
114 | 
115 | function run()
116 |   local f = io.open(arg[1])
117 |   local t = f:read("*all")
118 |   f:close()
119 |   if common(t,1) == 1 then print("Found Suspicious String in " .. arg[1]) end
120 | end
121 | 
122 | function base64_d(a,force_ascii)
123 | -- requires a to be a valid base64 string -
124 | -- only valid chars, multiple of 4 in length - else it will crash!
125 | -- converted from Blackhole JS version :-)
126 |     keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
127 |     b = ""
128 |     for i = 1, #a, 4 do
129 |         enc1 = keyStr:find(a:sub(i,i),1,true)-1
130 |         enc2 = keyStr:find(a:sub(i+1,i+1),1,true)-1
131 |         enc3 = keyStr:find(a:sub(i+2,i+2),1,true)-1
132 |         enc4 = keyStr:find(a:sub(i+3,i+3),1,true)-1
133 |         chr1 = bit.bor(bit.lshift(enc1,2),bit.rshift(enc2,4))
134 |         chr2 = bit.bor(bit.lshift(bit.band(enc2,15),4),bit.rshift(enc3,2))
135 |         chr3 = bit.bor(bit.lshift(bit.band(enc3,3),6),enc4)
136 |         b = b .. string.char(chr1)
137 |         if enc3 ~= 64 then b = b .. string.char(chr2) end
138 |         if enc4 ~= 64 then b = b .. string.char(chr3) end
139 |     end
140 |     if force_ascii == true and b:gsub("[%w%p%s]","") ~= "" then
141 |         return a,0
142 |     else
143 |         return b,1
144 |     end
145 | end
146 | 
147 | D_tabs = {
148 |      {0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x57,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
149 |       0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
150 |       0x2E,0x47,0x7A,0x56,0x42,0x6A,0x2F,0x26,0x49,0x41,0x34,0x32,0x5B,0x76,0x72,0x43,
151 |       0x38,0x39,0x70,0x45,0x68,0x71,0x4F,0x09,0x62,0x44,0x23,0x75,0x3C,0x7E,0x3E,0x5E,
152 |       0xFF,0x77,0x4A,0x61,0x5D,0x22,0x4B,0x6F,0x4E,0x3B,0x4C,0x50,0x67,0x2A,0x7D,0x74,
153 |       0x54,0x2B,0x2D,0x2C,0x30,0x6E,0x6B,0x66,0x35,0x25,0x21,0x64,0x4D,0x52,0x63,0x3F,
154 |       0x7B,0x78,0x29,0x28,0x73,0x59,0x33,0x7F,0x6D,0x55,0x53,0x7C,0x3A,0x5F,0x65,0x46,
155 |       0x58,0x31,0x69,0x6C,0x5A,0x48,0x27,0x5C,0x3D,0x24,0x79,0x37,0x60,0x51,0x20,0x36}
156 |      ,
157 |      {0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x7B,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
158 |       0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
159 |       0x32,0x30,0x21,0x29,0x5B,0x38,0x33,0x3D,0x58,0x3A,0x35,0x65,0x39,0x5C,0x56,0x73,
160 |       0x66,0x4E,0x45,0x6B,0x62,0x59,0x78,0x5E,0x7D,0x4A,0x6D,0x71,0x3C,0x60,0x3E,0x53,
161 |       0xFF,0x42,0x27,0x48,0x72,0x75,0x31,0x37,0x4D,0x52,0x22,0x54,0x6A,0x47,0x64,0x2D,
162 |       0x20,0x7F,0x2E,0x4C,0x5D,0x7E,0x6C,0x6F,0x79,0x74,0x43,0x26,0x76,0x25,0x24,0x2B,
163 |       0x28,0x23,0x41,0x34,0x09,0x2A,0x44,0x3F,0x77,0x3B,0x55,0x69,0x61,0x63,0x50,0x67,
164 |       0x51,0x49,0x4F,0x46,0x68,0x7C,0x36,0x70,0x6E,0x7A,0x2F,0x5F,0x4B,0x5A,0x2C,0x57}
165 |      ,
166 |      {0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x6E,0x0A,0x0B,0x0C,0x06,0x0E,0x0F,
167 |       0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
168 |       0x2D,0x75,0x52,0x60,0x71,0x5E,0x49,0x5C,0x62,0x7D,0x29,0x36,0x20,0x7C,0x7A,0x7F,
169 |       0x6B,0x63,0x33,0x2B,0x68,0x51,0x66,0x76,0x31,0x64,0x54,0x43,0x3C,0x3A,0x3E,0x7E,
170 |       0xFF,0x45,0x2C,0x2A,0x74,0x27,0x37,0x44,0x79,0x59,0x2F,0x6F,0x26,0x72,0x6A,0x39,
171 |       0x7B,0x3F,0x38,0x77,0x67,0x53,0x47,0x34,0x78,0x5D,0x30,0x23,0x5A,0x5B,0x6C,0x48,
172 |       0x55,0x70,0x69,0x2E,0x4C,0x21,0x24,0x4E,0x50,0x09,0x56,0x73,0x35,0x61,0x4B,0x58,
173 |       0x3B,0x57,0x22,0x6D,0x4D,0x25,0x28,0x46,0x4A,0x32,0x41,0x3D,0x5F,0x4F,0x42,0x65}
174 | } -- cipher tables
175 | 
176 | I_tab = {
177 |       0x00,0x02,0x01,0x00,0x02,0x01,0x02,0x01,0x01,0x02,0x01,0x02,0x00,0x01,0x02,0x01,
178 |       0x00,0x01,0x02,0x01,0x00,0x00,0x02,0x01,0x01,0x02,0x00,0x01,0x02,0x01,0x01,0x02,
179 |       0x00,0x00,0x01,0x02,0x01,0x02,0x01,0x00,0x01,0x00,0x00,0x02,0x01,0x00,0x01,0x02,
180 |       0x00,0x01,0x02,0x01,0x00,0x00,0x02,0x01,0x01,0x00,0x00,0x02,0x01,0x00,0x01,0x02
181 | } -- cipher table selector
182 | 
183 | esc_tab = {[0x26] = 0x0a; [0x23] = 0x0d; [0x2a] = 0x3e; [0x21] = 0x3c; [0x24] = 0x40} -- escaped chars
184 | 
185 | function decode_vbe(s)
186 |   t = ""
187 |   for r in string.gmatch(s,"#@~%^[%w%+/=][%w%+/=][%w%+/=][%w%+/=][%w%+/=][%w%+/=][%w%+/=][%w%+/=].-%^#~@") do
188 |     x = base64_d(r:sub(5,12))
189 |     size = x:byte(1)+(256*x:byte(2))+(256*256*x:byte(3))+(256*256*256*x:byte(4))
190 |     p = 0;
191 |     skip = 0;
192 |     for i = 1+12, math.min(size+12,#r), 1 do
193 |       if (skip == 0) then
194 |         c = r:byte(i)
195 |         if (c < 128) then
196 |           d = D_tabs[I_tab[(p % 64)+1]+1][c+1]
197 |           if ((d == 255) and (i < #r)) then
198 |             if (esc_tab[r:byte(i+1)] ~= nil) then
199 |               t = t .. string.char(esc_tab[r:byte(i+1)])
200 |             end
201 |             skip = 1
202 |           else
203 |             t = t .. string.char(d)
204 |           end
205 |         else
206 |           t = t .. string.char(c)
207 |         end
208 |         p = p + 1
209 |       else
210 |         skip = 0
211 |       end
212 |     end
213 |   end   
214 |   return t
215 | end
216 | 
217 | function deobfuscate(a, verbose)
218 |     if verbose==1 then print("Deobfuscating : " .. a) end 
219 |     recursion_count = 0
220 |     num_matches = 1
221 |     while (recursion_count < 10) and (num_matches > 0) do
222 |         num_matches = 0
223 |         recursion_count = recursion_count + 1
224 |         a,n = a:gsub('\\u00(%x%x)',function(i) return string.format("%c", "0x" .. i) end) num_matches = num_matches + n
225 |         a,n = a:gsub('\\x(%x%x)',function(i) return string.format("%c", "0x" .. i) end) num_matches = num_matches + n
226 |         a,n = a:gsub('\\([0-7][0-7][0-7])',function(i) return string.format("%c", i:sub(3,3)+(8*i:sub(2,2))+(8*8*i:sub(1,1))) end) num_matches = num_matches + n
227 |         a,n = a:gsub('[Cc][Hh][Rr][Ww]?%((%d+)%)',function(i) return string.format("\39%c\39", i % 256) end) num_matches = num_matches + n
228 |         a,n = a:gsub('(["\39]) *[%&%+] *%1','') num_matches = num_matches + n
229 |         if verbose==1 and num_matches > 0 then print("Got some matches - repeating ...") end
230 |         end
231 |     if verbose==1 then print("Deobfuscating after " .. recursion_count .. " loops got : " .. a) end 
232 |     return a
233 | end
234 | 


--------------------------------------------------------------------------------
/suri-xor-binary-quick.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 | #*************************************************************
  3 | #  Copyright (c) 2003-2013, Emerging Threats
  4 | #  All rights reserved.
  5 | #  
  6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
  7 | #  following conditions are met:
  8 | #  
  9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 10 | #    disclaimer.
 11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
 12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
 13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
 14 | #    from this software without specific prior written permission.
 15 | #  
 16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 23 | #
 24 | #*************************************************************
 25 | 
 26 | This lua script can be run standalone and verbosely on a binary file with
 27 | echo "run()" | lua -i <script name> <binary file>
 28 | 
 29 | Chris Wakelin
 30 | --]]
 31 | 
 32 | function init (args)
 33 |     local needs = {}
 34 |     needs["http.response_body"] = tostring(true)
 35 |     return needs
 36 | end
 37 | 
 38 | function xor0(byte, key)
 39 |    local bit = require("bit")
 40 |    if byte == key or byte == 0 then
 41 |        return byte
 42 |    end
 43 |    return bit.bxor(byte,key)
 44 | end
 45 | 
 46 | -- return match via table
 47 | function common(a,verbose)
 48 |     local bit = require("bit")
 49 | 
 50 |     key = {}
 51 | 
 52 |     if #a < 1024 then 
 53 |         return 0
 54 |     end
 55 | 
 56 | -- Usually bytes 0x30 to 0x3b are 0-padding,
 57 | -- so may actually contain the Key; decode PE offset at 0x3c and check
 58 | -- it points to bytes that then decode to PE|00 00|
 59 | -- 7,8,9,10,11,12 also cover their divisors 1 - 6, but include 4 four safety
 60 | 
 61 |     key_lengths = {4,7,8,9,10,11,12}
 62 | 
 63 |     for n, l in pairs(key_lengths) do
 64 | 
 65 |         koffset = ((l-(0x30 % l)) % l)
 66 | 
 67 |         for i = 0, l-1, 1 do
 68 |            key[i+1] = a:byte(0x30+1+((i+koffset) % l))
 69 |         end
 70 |         
 71 | 
 72 |         pe = bit.bxor(a:byte(0x3c+1), key[1+(0x3c % l)]) + (256*bit.bxor(a:byte(0x3c+2), key[1+((0x3c+1) % l)]))
 73 |         if verbose==1 then print("Trying " .. l .. "-byte XOR key; PE block at " .. pe) end
 74 |         if ((pe < 4096) and (pe < #a-4)) then
 75 |             offset = pe % l
 76 |             if (bit.bxor(a:byte(pe+1), key[offset+1]) == string.byte('P')) and 
 77 |                (bit.bxor(a:byte(pe+2), key[((1+offset)%l)+1]) == string.byte('E')) and
 78 |                (bit.bxor(a:byte(pe+3), key[((2+offset)%l)+1]) == 0) and
 79 |                (bit.bxor(a:byte(pe+4), key[((3+offset)%l)+1]) == 0) then
 80 |                 if verbose==1 then print("Found " .. l .. "-byte XOR key; PE block at " .. pe) end
 81 |                 return 1
 82 |             end
 83 |         end
 84 |     end
 85 | 
 86 | -- Check for g01pack/Blackhole 1-byte XOR key
 87 |     k = a:byte(1);
 88 |     pe = bit.bxor(a:byte(0x3c+2), k) + (256*bit.bxor(a:byte(0x3c+3),k))
 89 |     if ((pe < 4096) and (pe < #a-5)) then
 90 |         if (bit.bxor(a:byte(pe+2), k) == string.byte('P')) and 
 91 |            (bit.bxor(a:byte(pe+3), k) == string.byte('E')) and
 92 |            (bit.bxor(a:byte(pe+4), k) == 0) and
 93 |            (bit.bxor(a:byte(pe+5), k) == 0) then
 94 |             if verbose==1 then print("Found g01pack 1-byte XOR key " .. k .. " - PE block at " .. pe) end
 95 |             return 1
 96 |         end
 97 |     end
 98 | 
 99 | -- Check for SofosFO-obfuscated binary
100 | 
101 |     b = ""
102 |     -- Quick check that 2nd byte -> 'Z'
103 |     k1 = bit.bxor(a:byte(1), string.byte('M'))
104 |     k2 = bit.bxor((k1 + 170) % 256, 0x48)
105 | 
106 |     if (bit.bxor(a:byte(2),k2) == string.byte('Z')) and (#a > 2048) then 
107 |     -- now check for a PE header
108 |         k = (bit.bxor(a:byte(1), string.byte('M'), 0x48) - 170) % 256
109 |         k1 = k
110 |           for i = 1, 2048, 1 do
111 |           k = bit.bxor((k + 170) % 256, 0x48)
112 |           b = b .. string.char(bit.bxor(a:byte(i), k))
113 |         end
114 | 
115 |         pe = b:byte(0x3c+1) + (256*b:byte(0x3c+2))
116 | 
117 |         if ((pe < 2048) and (pe < #b-4)) then
118 |             if b:byte(pe+1) == string.byte('P') and
119 |                b:byte(pe+2) == string.byte('E') and
120 |                b:byte(pe+3) == 0 and
121 |                b:byte(pe+4) == 0 then
122 |                 if verbose==1 then print("Found SofosFO XOR seed " .. k1 .. " - PE block at " .. pe) end
123 |                 return 1
124 |             end
125 |         end
126 |     end
127 | 
128 | -- Check for Blackhole - long int obfuscated binary
129 |     b = "MZ\144\0" 
130 |     k = a:byte(1) + (a:byte(2)*256) + (a:byte(3)*256*256) + (a:byte(4)*256*256*256)
131 |     k2 = k % 2
132 |     k3 = k % 3
133 |     for i = 5, 2048, 1 do
134 |         c = a:byte(i)
135 |         k = bit.band((k * 0x343fd) + 0x269ec3,0x7fffffff)
136 |         x = (k % 241) + 15
137 |         k = bit.band((k * 0x343fd) + 0x269ec3,0x7fffffff)
138 |         r = (k % 6) + 1
139 |         if k2 == 0 then
140 |             c = bit.bor(bit.lshift(c,r),bit.rshift(c,8-r)) % 256
141 |         else
142 |             c = bit.bor(bit.rshift(c,r),bit.lshift(c,8-r)) % 256
143 |         end
144 |         if k3 == 0 then
145 |             c = bit.bxor(c,x)
146 |         elseif k3 == 1 then
147 |             c = (c - x) % 256
148 |         else
149 |             c = (c + x) % 256
150 |         end
151 |         -- Quick check that byte 5 -> 0x03
152 |         if i == 5 and c ~= 3 then break end
153 |         b = b .. string.char(c)
154 |     end
155 |     if #b == 2048 then
156 |         pe = b:byte(0x3c+1) + (256*b:byte(0x3c+2))
157 | 
158 |         if ((pe < 2048) and (pe < #b-4)) then
159 |             if b:byte(pe+1) == string.byte('P') and
160 |                b:byte(pe+2) == string.byte('E') and
161 |                b:byte(pe+3) == 0 and
162 |                b:byte(pe+4) == 0 then
163 |                 if verbose==1 then print("Found Blackhole long int encoding - PE block at " .. pe) end
164 |                 return 1
165 |             end
166 |         end
167 |     end
168 | 
169 | -- Check for Fiesta - 256-byte seeded XOR
170 |     n = 0
171 |     m = 0
172 |     b = ""
173 |     k = a:sub(1,256); -- key string
174 |     for i = 1, 2048, 1 do
175 |         n = (n + 1) % 256
176 |         m = (m + k:byte(n+1)) % 256
177 |         -- swap char n and m in the key string
178 |         if n < m then
179 |            k = k:sub(1,n) .. k:sub(m+1,m+1) .. k:sub(n+2,m) .. k:sub(n+1,n+1) .. k:sub(m+2)
180 |         elseif n > m then
181 |            k = k:sub(1,m) .. k:sub(n+1,n+1) .. k:sub(m+2,n) .. k:sub(m+1,m+1) .. k:sub(n+2)
182 |         end
183 |         c = bit.bxor(a:byte(i+256),k:byte(((k:byte(n+1)+k:byte(m+1)) % 256) + 1))
184 |         -- Quick check that first two bytes are "MZ"
185 |         if i == 1 and c ~= string.byte('M') then break end
186 |         if i == 2 and c ~= string.byte('Z') then break end
187 |         b = b .. string.char(c)
188 |     end
189 |     if #b == 2048 then
190 |         pe = b:byte(0x3c+1) + (256*b:byte(0x3c+2))
191 | 
192 |         if ((pe < 2048) and (pe < #b-4)) then
193 |             if b:byte(pe+1) == string.byte('P') and
194 |                b:byte(pe+2) == string.byte('E') and
195 |                b:byte(pe+3) == 0 and
196 |                b:byte(pe+4) == 0 then
197 |                 if verbose==1 then print("Found Fiesta encryption - PE block at " .. pe) end
198 |                 return 1
199 |             end
200 |         end
201 |     end
202 |        
203 | -- Check for XOR with 0 and XOR-key bytes left alone
204 | -- PE offset is (nearly?) always divisible by 8, so key lengths 1,2,4 will always be detected
205 | -- Can match other key lengths in some cases where the remainder on dividing into 0x3c is 0,1,2 or 4
206 | -- and on dividing into the PE offset is 0 or 1 (or 4 when the key length is 5)
207 |     key = {xor0(a:byte(1), string.byte('M')), xor0(a:byte(2), string.byte('Z')), xor0(a:byte(3), 0x90), 0, xor0(a:byte(5), 0x03), 0, 0, 0}
208 | 
209 |     key_lengths = {1,3,5,6,7,8}
210 |     for n,l in pairs(key_lengths) do
211 |       
212 |         koffset = 0x3c % l
213 |         pe = xor0(a:byte(0x3c+1),key[1+koffset]) + (256*xor0(a:byte(0x3c+2),key[((1+koffset) % l) + 1]))
214 |         if verbose==1 then print("Trying PE header at " .. pe) end
215 | 
216 |         koffset = pe % l
217 |         if ((pe < 4096) and (pe < #a-4)) then
218 |             if xor0(a:byte(pe+1),key[1+koffset]) == string.byte('P') and
219 |                xor0(a:byte(pe+2),key[((1+koffset) % l) + 1]) == string.byte('E') and
220 |                a:byte(pe+3) == 0 and
221 |                a:byte(pe+4) == 0 then
222 |                 if verbose==1 then print("Found " .. l .. "-byte XOR-but-not-zero key " .. key[1] .. "," .. key[2] .. " - PE block at " .. pe) end
223 |                 return 1
224 |             end
225 |         end
226 |     end
227 | 
228 | -- Check for NicePack reversed/4-byte XORed binary
229 |     for i = 0, 4, 1 do
230 |       key[i+1] = a:byte(#a-0x30-i)
231 |     end
232 | 
233 |     pe = bit.bxor(a:byte(#a-0x3c), key[1]) + (256*bit.bxor(a:byte(#a-0x3c-1), key[2]))
234 |     if ((pe < 4096) and (pe < #a-4)) then
235 |         offset = pe % 4
236 |         if (bit.bxor(a:byte(#a-pe), key[offset+1]) == string.byte('P')) and 
237 |            (bit.bxor(a:byte(#a-1-pe), key[((1+offset)%4)+1]) == string.byte('E')) and
238 |            (bit.bxor(a:byte(#a-2-pe), key[((2+offset)%4)+1]) == 0) and
239 |            (bit.bxor(a:byte(#a-3-pe), key[((3+offset)%4)+1]) == 0) then
240 |             if verbose==1 then print("Found 4-byte XOR key for reversed binary; PE block at " .. pe) end
241 |             return 1
242 |         end
243 |     end
244 | 
245 | -- Check for Magnitude subtract single byte - 4th byte is usually "0"
246 |     k = a:byte(4);
247 |     pe = ((a:byte(0x3c+1) - k) % 256) + (256*((a:byte(0x3c+2)-k) % 256))
248 |     if ((pe < 4096) and (pe < #a-5)) then
249 |         if ((a:byte(pe+1) - k) % 256 == string.byte('P')) and 
250 |            ((a:byte(pe+2) - k) % 256 == string.byte('E')) and
251 |            ((a:byte(pe+3) - k) % 256 == 0) and
252 |            ((a:byte(pe+4) - k) % 256 == 0) then
253 |             if verbose==1 then print("Found Magnitude 1-byte subtract key " .. k .. " - PE block at " .. pe) end
254 |             return 1
255 |         end
256 |     end
257 | 
258 | -- Check for Upatre LZNT1-compressed + 4-byte incrementing XORed binary
259 | 
260 |     key[1] = bit.bxor(a:byte(9),string.byte('Z'))
261 |     key[2] = bit.bxor(a:byte(10),0x90)
262 |     key[3] = a:byte(7)
263 |     key[4] = bit.bxor(a:byte(8),string.byte('M'))
264 |     k = key[1]+(256*key[2])+(256*256*key[3])+(256*256*256*key[4])
265 |     if k > 0 then
266 |         b = ""
267 |         for i = 9,20,4 do
268 |           k1 = bit.bxor(k,a:byte(i)+(256*a:byte(i+1))+(256*256*a:byte(i+2))+(256*256*256*a:byte(i+3)))
269 |           b = b .. string.char(k1 % 256) .. string.char(bit.rshift(k1,8) % 256) .. string.char(bit.rshift(k1,16) % 256) .. string.char(bit.rshift(k1,24) % 256)
270 |           k = k+1
271 |         end
272 |         if b == "Z\144\0\003\0\0\0\130\004\0\048\255" then
273 |             if verbose==1 then print("Found Upatre 4-byte XOR key for LZNT1-compressed binary") end
274 |             return 1
275 |         end
276 |     end
277 | 
278 | 
279 |     return 0
280 | end
281 | 
282 | 
283 | -- return match via table
284 | function match(args)
285 |     local t = tostring(args["http.response_body"])
286 |     return common(t,0)
287 | end
288 | 
289 | function run()
290 |   local f = io.open(arg[1])
291 |   local t = f:read("*all")
292 |   f:close()
293 |   common(t,1)
294 | end
295 | 


--------------------------------------------------------------------------------
/luajit-drop.rules:
--------------------------------------------------------------------------------
 1 | #*************************************************************
 2 | #  Copyright (c) 2003-2012, Emerging Threats
 3 | #  All rights reserved.
 4 | #  
 5 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 6 | #  following conditions are met:
 7 | #  
 8 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 9 | #    disclaimer.
10 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
11 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
12 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
13 | #    from this software without specific prior written permission.
14 | #  
15 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
16 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
17 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
18 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
19 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
20 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
21 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
22 | #
23 | #*************************************************************
24 | 
25 | ##### Existing Rules
26 | #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; content:" Java/1."; http_user_agent; flowbits:set,ET.http.javaclient; flowbits:noalert; classtype:misc-activity; sid:2013035; rev:2;)
27 | #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_user_agent; content:!"37"; within:2; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:24;)
28 | #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_0"; http_user_agent; content:!"9"; within:1; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:13;)
29 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7;)
30 | 
31 | #####
32 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT test - match XORed binary"; flowbits:isset,ET.http.javaclient.vulnerable; flowbits:isnotset,ET.http.binary; luajit:suri-xor-binary-detect.lua; filestore:response; sid:379000001; rev:4;)
33 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS XORed binary via Java"; flowbits:isset,ET.http.javaclient; flowbits:isnotset,ET.http.binary; luajit:suri-xor-binary-quick.lua; classtype:trojan-activity; sid:379000001; rev:5;)
34 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Suspicious Jar"; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; depth:2; luajit:suri-suspicious-jar2.lua; classtype:trojan-activity; sid:379000002; rev:2;)
35 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Suspicious Jar via vulnerable client"; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"PK"; depth:2; luajit:suri-suspicious-jar2.lua; filestore:response; classtype:trojan-activity; sid:379000003; rev:2;)
36 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT zip test - Blackhole 2.x <name>[abc].class Jar"; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; depth:2; luajit:suri-bh2-abc-jar.lua; filestore:response; sid:379000004; rev:1;)
37 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS XORed-non-zero binary"; flow:from_server,established; file_data; content:"|00 00 00 00 00 00|"; offset:48; depth:54; luajit:suri-xor-non-zero.lua; classtype:trojan-activity; sid:379000005; rev:2;)
38 | #
39 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Uncompressed)"; flow:from_server,established; file_data; content:"FWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:7016688; rev:5;)
40 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed)"; flow:from_server,established; file_data; content:"CWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:7016687; rev:5;)
41 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed LZMA)"; flow:from_server,established; file_data; content:"ZWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:9016687; rev:5;)
42 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Uncompressed, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"kern"; fast_pattern:only;  content:"FWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6688; rev:5;)
43 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"CWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6687; rev:5;)
44 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed LZMA, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"ZWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6689; rev:5;)
45 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious PDF"; flow:from_server,established; file_data; content:"%PDF-"; within:20; luajit:suri-suspicious-pdf.lua; classtype:trojan-activity; sid:99221187; rev:1;)
46 | #
47 | drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx Acrobat exploit URL"; flow:established,to_server; urilen:>200; content:".pdf"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000007; rev:1;)
48 | drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx Java exploit URL"; flow:established,to_server; content:"Java/1"; http_user_agent; urilen:>200; content:".jar"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000008; rev:1;)
49 | drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx font exploit URL"; flow:established,to_server; urilen:>200; content:".eot"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000009; rev:1;)
50 | drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx URL"; flow:established,to_server; urilen:>200; content:".html"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000010; rev:1;)
51 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Reversed compressed binary via Java"; flow:from_server,established; flowbits:isset,ET.http.javaclient; file_data; content:"|78|"; fast_pattern:only; pcre:"/\x78$/R"; luajit:suri-reversed-compressed-binary.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000011; rev:1;)
52 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible SilverLight Exploit CVE-2013-0074"; flow:from_server,established; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; nocase; luajit:CVE-2013-0074.lua; classtype:trojan-activity; sid:379000012; rev:2;)
53 | drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Nuclear landing URL"; flow:established,to_server; urilen:>40; content:".html"; http_uri; pcre:"/^\/[a-f0-9A-Z\-\_]+(\/\d+\/[0-9a-f]{32})?\.html$/U"; luajit:suri-nuclear-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000013; rev:1;)
54 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT suspicious pack200-ed JAR file"; flow:from_server,established; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; luajit:suri-suspicious-pack200jar.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000017; rev:1;)
55 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT PPT with oleObject contaning INF from SMB Probably CVE-2014-4114"; flow:established,from_server; file_data; content:"ppt/embeddings/oleObject"; luajit:CVE-2014-4114.lua; sid:14919911; rev:1; classtype:attempted-admin;)
56 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Memory Corruption Vulnerability CVE-2015-1641"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/document.xml"; distance:0; nocase; luajit:CVE-2015-1641.lua; reference:cve,2015-1641; classtype:attempted-admin; sid:379000021; rev:1;)
57 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2015-1650"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/numbering.xml"; distance:0; nocase; luajit:CVE-2015-1650.lua; reference:cve,2015-1650; classtype:attempted-admin; sid:379000022; rev:1;)
58 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible RIG XORed binary"; flow:from_server,established; content:"Content-Type|3a| application/x-msdownload"; http_header; file_data; content:!"MZ"; within:2; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000023; rev:1;)
59 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible Nuclear XORed binary"; flow:from_server,established; content:"Content-Disposition|3a| inline|3b| filename=|0d 0a|"; http_header; file_data; content:!"MZ"; within:2; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000024; rev:1;)
60 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT suspicious VBE"; flow:from_server,established; file_data; content:"#@~^"; within:2048; luajit:suri-suspicious-vbe.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000025; rev:1;)
61 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2015-1770"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"/activeX/activeX"; nocase; fast_pattern; pcre:"/^\d+\.xml/Ri"; luajit:CVE-2015-1770.lua; reference:cve,2015-1770; classtype:attempted-admin; sid:379000026; rev:1;)
62 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Possible Adobe Flash CVE-2015-3113 in FLV"; flow:established,from_server; file_data; content:"FLV"; within:3; byte_test:1,&,4,1,relative; luajit:CVE-2015-3113.lua; reference:cve,2015-3113; classtype:attempted-admin; sid:379000027; rev:1;)
63 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Doc ASLR Bypass Vulnerability CVE-2015-2375"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/tables/table"; distance:0; content:".xml"; distance:0; luajit:CVE-2015-2375.lua; reference:cve,2015-2375; classtype:attempted-admin; sid:379000028; rev:1;)
64 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Memory Corruption Vulnerability CVE-2015-2377"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/charts/"; distance:0; fast_pattern; content:".xml"; distance:0; luajit:CVE-2015-2377.lua; reference:cve,2015-2377; classtype:attempted-admin; sid:379000029; rev:1;)
65 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible OpenType Font Driver Vulnerability CVE-2015-2426"; flow:established,from_server; file_data; content:"GPOS"; within:520; fast_pattern; luajit:CVE-2015-2426.lua; reference:cve,2015-2426; classtype:attempted-admin; sid:379000030; rev:1;)
66 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Doc Memory Corruption Vulnerability CVE-2015-2558"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/workbook.xml"; fast_pattern:only; luajit:CVE-2015-2558.lua; reference:cve,2015-2558; classtype:attempted-admin; sid:379000031; rev:1;)
67 | drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2016-0056"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/_rels/webSettings.xml.rels"; distance:0; nocase; luajit:CVE-2016-0056.lua; reference:cve,2016-0056; classtype:attempted-admin; sid:30300056; rev:1;)
68 | 


--------------------------------------------------------------------------------
/luajit.rules:
--------------------------------------------------------------------------------
 1 | #*************************************************************
 2 | #  Copyright (c) 2003-2012, Emerging Threats
 3 | #  All rights reserved.
 4 | #  
 5 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
 6 | #  following conditions are met:
 7 | #  
 8 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 9 | #    disclaimer.
10 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
11 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
12 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
13 | #    from this software without specific prior written permission.
14 | #  
15 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
16 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
17 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
18 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
19 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
20 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
21 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
22 | #
23 | #*************************************************************
24 | 
25 | ##### Existing Rules
26 | #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; content:" Java/1."; http_user_agent; flowbits:set,ET.http.javaclient; flowbits:noalert; classtype:misc-activity; sid:2013035; rev:2;)
27 | #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_user_agent; content:!"37"; within:2; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:24;)
28 | #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_0"; http_user_agent; content:!"9"; within:1; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:13;)
29 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7;)
30 | 
31 | #####
32 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT test - match XORed binary"; flowbits:isset,ET.http.javaclient.vulnerable; flowbits:isnotset,ET.http.binary; luajit:suri-xor-binary-detect.lua; filestore:response; sid:379000001; rev:4;)
33 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS XORed binary via Java"; flowbits:isset,ET.http.javaclient; flowbits:isnotset,ET.http.binary; luajit:suri-xor-binary-quick.lua; filestore:response; classtype:trojan-activity; sid:379000001; rev:5;)
34 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Suspicious Jar"; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; depth:2; luajit:suri-suspicious-jar2.lua; filestore:response; classtype:trojan-activity; sid:379000002; rev:2;)
35 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Suspicious Jar via vulnerable client"; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"PK"; depth:2; luajit:suri-suspicious-jar2.lua; filestore:response; classtype:trojan-activity; sid:379000003; rev:2;)
36 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT zip test - Blackhole 2.x <name>[abc].class Jar"; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; depth:2; luajit:suri-bh2-abc-jar.lua; filestore:response; sid:379000004; rev:1;)
37 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS XORed-non-zero binary"; flow:from_server,established; file_data; content:"|00 00 00 00 00 00|"; offset:48; depth:54; luajit:suri-xor-non-zero.lua; filestore:response; classtype:trojan-activity; sid:379000005; rev:2;)
38 | #
39 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Uncompressed)"; flow:from_server,established; file_data; content:"FWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:7016688; rev:5;)
40 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed)"; flow:from_server,established; file_data; content:"CWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:7016687; rev:5;)
41 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed LZMA)"; flow:from_server,established; file_data; content:"ZWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:9016687; rev:5;)
42 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Uncompressed, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"kern"; fast_pattern:only;  content:"FWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6688; rev:5;)
43 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"CWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6687; rev:5;)
44 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed LZMA, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"ZWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6689; rev:5;)
45 | #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious PDF"; flow:from_server,established; file_data; content:"%PDF-"; within:20; luajit:suri-suspicious-pdf.lua; classtype:trojan-activity; sid:99221187; rev:1;)
46 | #
47 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx Acrobat exploit URL"; flow:established,to_server; urilen:>200; content:".pdf"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000007; rev:1;)
48 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx Java exploit URL"; flow:established,to_server; content:"Java/1"; http_user_agent; urilen:>200; content:".jar"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000008; rev:1;)
49 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx font exploit URL"; flow:established,to_server; urilen:>200; content:".eot"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000009; rev:1;)
50 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx URL"; flow:established,to_server; urilen:>200; content:".html"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000010; rev:1;)
51 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Reversed compressed binary via Java"; flow:from_server,established; flowbits:isset,ET.http.javaclient; file_data; content:"|78|"; fast_pattern:only; pcre:"/\x78$/R"; luajit:suri-reversed-compressed-binary.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000011; rev:1;)
52 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible SilverLight Exploit CVE-2013-0074"; flow:from_server,established; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; nocase; luajit:CVE-2013-0074.lua; classtype:trojan-activity; sid:379000012; rev:2;)
53 | #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Nuclear landing URL"; flow:established,to_server; urilen:>40; content:".html"; http_uri; pcre:"/^\/[a-f0-9A-Z\-\_]+(\/\d+\/[0-9a-f]{32})?\.html$/U"; luajit:suri-nuclear-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000013; rev:1;)
54 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT suspicious pack200-ed JAR file"; flow:from_server,established; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; luajit:suri-suspicious-pack200jar.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000017; rev:1;)
55 | alert tls any any -> any any (msg:"ET LUAJIT Possible TLS HEARTBLEED malformed heartbeat record"; flow:established,to_server; dsize:>7; content:"|18 03|"; depth:2; byte_test:1,<,4,2; luajit:tls-heartbleed.lua; classtype:misc-attack; sid:378000017; rev:1;)
56 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT PPT with oleObject contaning INF from SMB Probably CVE-2014-4114"; flow:established,from_server; file_data; content:"ppt/embeddings/oleObject"; luajit:CVE-2014-4114.lua; sid:14919911; rev:1; classtype:attempted-admin;)
57 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Possible Regin Init CnC Beacon TCP"; flow:established,to_server; content:"A"; depth:1; content:"AAA"; distance:1; within:4; luajit:suri-regin.lua; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:379000018; rev:1;)
58 | alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Possible Regin Init CnC Beacon UDP"; content:"A"; depth:1; content:"AAA"; distance:1; within:4; luajit:suri-regin.lua; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:379000019; rev:1;)
59 | alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Possible Regin Init CnC Beacon ICMP"; itype:8; content:"A"; depth:1; content:"AAA"; distance:1; within:4; luajit:suri-regin.lua; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:379000020; rev:1;)
60 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Memory Corruption Vulnerability CVE-2015-1641"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/document.xml"; distance:0; nocase; luajit:CVE-2015-1641.lua; reference:cve,2015-1641; classtype:attempted-admin; sid:379000021; rev:1;)
61 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2015-1650"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/numbering.xml"; distance:0; nocase; luajit:CVE-2015-1650.lua; reference:cve,2015-1650; classtype:attempted-admin; sid:379000022; rev:1;)
62 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible RIG XORed binary"; flow:from_server,established; content:"Content-Type|3a| application/x-msdownload"; http_header; file_data; content:!"MZ"; within:2; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000023; rev:1;)
63 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible Nuclear XORed binary"; flow:from_server,established; content:"Content-Disposition|3a| inline|3b| filename=|0d 0a|"; http_header; file_data; content:!"MZ"; within:2; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000024; rev:1;)
64 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT suspicious VBE"; flow:from_server,established; file_data; content:"#@~^"; luajit:suri-suspicious-vbe.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000025; rev:2;)
65 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2015-1770"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"/activeX/activeX"; nocase; fast_pattern; pcre:"/^\d+\.xml/Ri"; luajit:CVE-2015-1770.lua; reference:cve,2015-1770; classtype:attempted-admin; sid:379000026; rev:1;)
66 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Possible Adobe Flash CVE-2015-3113 in FLV"; flow:established,from_server; file_data; content:"FLV"; within:3; byte_test:1,&,4,1,relative; luajit:CVE-2015-3113.lua; reference:cve,2015-3113; classtype:attempted-admin; sid:379000027; rev:1;)
67 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Doc ASLR Bypass Vulnerability CVE-2015-2375"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/tables/table"; distance:0; content:".xml"; distance:0; luajit:CVE-2015-2375.lua; reference:cve,2015-2375; classtype:attempted-admin; sid:379000028; rev:1;)
68 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Memory Corruption Vulnerability CVE-2015-2377"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/charts/"; distance:0; fast_pattern; content:".xml"; distance:0; luajit:CVE-2015-2377.lua; reference:cve,2015-2377; classtype:attempted-admin; sid:379000029; rev:1;)
69 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible OpenType Font Driver Vulnerability CVE-2015-2426"; flow:established,from_server; file_data; content:"GPOS"; within:520; fast_pattern; luajit:CVE-2015-2426.lua; reference:cve,2015-2426; classtype:attempted-admin; sid:379000030; rev:1;)
70 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Doc Memory Corruption Vulnerability CVE-2015-2558"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/workbook.xml"; fast_pattern:only; luajit:CVE-2015-2558.lua; reference:cve,2015-2558; classtype:attempted-admin; sid:379000031; rev:1;)
71 | #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:!"Accept-Language|3A|"; http_header; content:"Accept|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; depth:102; fast_pattern:82,20; http_header; pcre:"/\.jpg(?:\?\d+)?$/U"; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022220; rev:2;)
72 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Xbagging encrypted macro XOR-ed payload"; flow:from_server,established; flowbits:isset,ET.vba-jpg-dl; file_data; content:!"|ff d8 ff|"; within:3; luajit:suri-xbagging-xor.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000033; rev:1;)
73 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Xbagging encrypted macro XOR-ed payload (2)"; flow:from_server,established; flowbits:isset,ET.vba-jpg-dl; file_data; content:!"|ff d8 ff|"; within:3; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000034; rev:1;)
74 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible PPT LoadLibrary dll Inclusion CVE-2015-6132 CVE-2015-6133"; flow:established,from_server; file_data; content:"ppt/embeddings/oleObject"; luajit:CVE-2015-6132.lua; reference:cve,2015-6132; reference:cve,2015-6133; classtype:attempted-admin; sid:379000035; rev:1;)
75 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2016-0056"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/_rels/webSettings.xml.rels"; distance:0; nocase; luajit:CVE-2016-0056.lua; reference:cve,2016-0056; classtype:attempted-admin; sid:30300056; rev:1;)
76 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT XORed binary from .exe URI with no referer"; flow:from_server,established; flowbits:isset,exe.no.referer; file_data; content:!"MZ"; within:2; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000036; rev:1;)
77 | 


--------------------------------------------------------------------------------
/suri-suspicious-pdf.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 | #*************************************************************
  3 | #  Copyright (c) 2003-2013, Emerging Threats
  4 | #  All rights reserved.
  5 | #  
  6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
  7 | #  following conditions are met:
  8 | #  
  9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 10 | #    disclaimer.
 11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
 12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
 13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
 14 | #    from this software without specific prior written permission.
 15 | #  
 16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 23 | #
 24 | #*************************************************************
 25 | Detection for suspicious PDF files. Currently only supports /FlateDecode requires luazlib  module.
 26 | 
 27 | #lua-zlib
 28 | https://github.com/brimworks/lua-zlib
 29 | #lua-apr
 30 | sudo apt-get install lua-apr lua-apr-dev
 31 | 
 32 | This lua script can be run standalone and verbosely on a PDF file with
 33 | echo "run()" | lua -i <script name> <pdf file>
 34 | 
 35 | Chris Wakelin
 36 | Will Metcalf
 37 | --]]
 38 | local lz = require 'zlib'
 39 | require 'struct'
 40 | local apr = require 'apr.core'
 41 | 
 42 | function init (args)
 43 |     local needs = {}
 44 |     needs["http.response_body"] = tostring(true)
 45 |     return needs
 46 | end
 47 | 
 48 | function cve_2013_2729(xfa,verbose)
 49 |     if string.find(xfa,"<image[^>]*>[\n%s\r]-Qk[A-Za-z0-9%+%/\n%s\r]-AAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC") ~= nil then
 50 |         if verbose == 1 then print("Evil CVE-2013-2729") end
 51 |         return 1
 52 |     end
 53 |     return 0
 54 | end
 55 | 
 56 | function suspicious_string_search(js,verbose)
 57 |     local ret = 0
 58 |     local fnd = nil
 59 | 
 60 |     _,_,fnd  = string.find(js,">(SUkqADggAA[^<]-)<")    
 61 |     if fnd ~= nil then
 62 |         local tiffdata = apr.base64_decode(fnd)
 63 |         if struct.unpack("<I4",string.sub(tiffdata,5,8)) == 0x2038 then
 64 |             if verbose == 1 then
 65 |                 print ("likely CVE-2010-0188 PDF")
 66 |                 ret = 1
 67 |             else
 68 |                 return 1
 69 |             end
 70 |         end
 71 |     end
 72 |     _,_,fnd  = string.find(js,">(TU0AKgAA[^<]-)<")
 73 |     if fnd ~= nil then
 74 |         local tiffdata = apr.base64_decode(fnd)
 75 |         if struct.unpack(">I4",string.sub(tiffdata,5,8)) == 0x2038 then
 76 |             if verbose == 1 then
 77 |                 print ("likely CVE-2010-0188 PDF")
 78 |                 ret = 1
 79 |             else
 80 |                 return 1
 81 |             end
 82 |         end
 83 |     end
 84 |     fnd = string.find(js,"\044\036\036\036\036\058\040\033\091\093\043\034\034\041\091",0,true)
 85 |     if fnd ~= nil then
 86 |         if verbose == 1 then
 87 |             print("Suspicous: Found JJEncoded Script")
 88 |             ret = 1
 89 |         else
 90 |             return 1
 91 |         end
 92 |     end
 93 |     --Evertyhing below this line has quotes and + removed
 94 |     js = string.gsub(js,"[\034\039%+]","")
 95 |     fnd = string.find(js,"=%[XA%(%(%d%),0-[A-F0-9]-%),XA%(%(%d%),0-[A-F0-9]-%),XA%(%(%d%),0-[A-F0-9]-%)")
 96 |     if fnd ~= nil then
 97 |         if verbose == 1 then
 98 |             print("Suspicous: Found Sytx/Cool PDF")
 99 |             ret = 1
100 |         else
101 |             return 1
102 |         end
103 |     end
104 |     
105 |     fnd = string.find(js,"ImageField1.ZZA(321,513613",0,true)
106 |     if fnd ~= nil then
107 |         if verbose == 1 then
108 |             print("Suspicous: Found BHEK PDF")
109 |             ret = 1
110 |         else
111 |             return 1
112 |         end
113 |     end
114 |     fnd = string.find(js,"charCodeAt",0,true)
115 |     if fnd ~= nil then
116 |         if verbose == 1 then
117 |             print("Suspicous: Found charCodeAt in JS")
118 |             ret = 1
119 |         else
120 |             return 1
121 |         end
122 |     end
123 |     fnd = string.find(js,".replace",0,true)
124 |     if fnd ~= nil then
125 |         if verbose == 1 then
126 |             print("Suspicous: Found .replace in JS")
127 |             ret = 1
128 |         else
129 |             return 1
130 |         end
131 |     end
132 |     fnd = string.find(js,"eval%(",0,true)
133 |     if fnd ~= nil then
134 |         if verbose == 1 then
135 |             print("Suspicous: Found eval in JS")
136 |             ret = 1
137 |         else
138 |             return 1
139 |         end
140 |     end
141 |     fnd = string.find(js,"unescape",0,true)
142 |     if fnd ~= nil then
143 |         if verbose == 1 then
144 |             print("Suspicous: Found unescape in JS")
145 |             ret = 1
146 |         else
147 |             return 1
148 |         end
149 |     end
150 |     fnd = string.find(js,"This Program Cannot Be Run in DOS Mode",0,true)
151 |     if fnd ~= nil then
152 |         if verbose == 1 then
153 |             print("Suspicous: Found This Program Cannot Be Run in DOS")
154 |             ret = 1
155 |         else
156 |             return 1
157 |         end
158 |     end
159 |     fnd = string.find(js,"app.setTimeOut",0,true)
160 |     if fnd ~= nil then
161 |         if verbose == 1 then
162 |             print("Suspicous: Found app.setTimeOut in JS")
163 |             ret = 1
164 |         else
165 |             return 1
166 |         end
167 |     end
168 |     fnd = string.find(js,"\092u4f4f\092u4f4f",0,true)
169 |     if fnd ~= nil then
170 |         if verbose == 1 then
171 |             print("Suspicous: Found \092u4f4f\092u4f4f Spray String in JS")
172 |             ret = 1
173 |         else
174 |             return 1
175 |         end
176 |     end
177 |     fnd = string.find(js,"u9090",0,true)
178 |     if fnd ~= nil then
179 |         if verbose == 1 then
180 |             print("Suspicous: Found u9090 Spray String in JS")
181 |             ret = 1
182 |         else
183 |             return 1
184 |         end
185 |     end
186 |     fnd = string.find(js,".fromCharCode",0,true)
187 |     if fnd ~= nil then
188 |         if verbose == 1 then
189 |             print("Suspicous: Found .fromCharCode")
190 |             ret = 1
191 |         else
192 |             return 1
193 |         end
194 |     end
195 |     fnd = string.find(js,".substr%(",0,true)
196 |     if fnd ~= nil then
197 |         if verbose == 1 then
198 |             print("Suspicous: Found .substr%(")
199 |             ret = 1
200 |         else
201 |             return 1
202 |         end
203 |     end
204 | 
205 |     fnd = string.find(js,"function[\r\n%s]-heapSpray")
206 |     if fnd ~= nil then
207 |         if verbose == 1 then
208 |             print("Suspicous: Found function heapSpray")
209 |             ret = 1
210 |         else
211 |             return 1
212 |         end
213 |     end
214 |     fnd = string.find(js,"^^^^e^^^^v^^^^a^^^^l^^^^(^^^^v",0,true)
215 |     if fnd ~= nil then
216 |         if verbose == 1 then
217 |             print("Suspicous: Found Nuclear PDF")
218 |             ret = 1
219 |         else
220 |             return 1
221 |         end
222 |     end     
223 |     fnd = string.find(js,"6xFYuX.FAABJgDQI..XJdff\0474Ojq\047\047\047")
224 |     if fnd ~= nil then
225 |         if verbose == 1 then
226 |             print("Suspicous: Found Fiesta PDF")
227 |             ret = 1
228 |         else
229 |             return 1
230 |         end
231 |     end
232 |      _,_,fnd,m1,m2 = string.find(js,"(\093\059([a-z0-9][a-z0-9][a-z0-9]?)=parseInt%([a-z0-9][a-z0-9][a-z0-9]?,16%)\059([a-z0-9][a-z0-9][a-z0-9]?)=%3[a-z0-9][a-z0-9][a-z0-9]?%(%2%)\125return %3\125)")
233 |     if fnd ~= nil then
234 |         if verbose == 1 then
235 |             print("Suspicous: Found Fiesta PDF M2 " .. fnd)
236 |             ret = 1
237 |         else
238 |             return 1
239 |         end
240 |     end
241 |     --CVE-2013-3346
242 |     if string.find(js,"app.removeToolButton",0,true) ~= nil then
243 |         function_table = {}
244 |         add_button_table = {}
245 |         --iterate over the fuctions
246 |         for fname,f in string.gmatch(js,"(%w+)[\r\n%s]-=[\r\n%s]-function[\r\n%s]-%([^%)]-%)[\r\n%s]-(%b{})") do
247 |             function_table[fname]=f
248 |         end
249 |         for fname,f in string.gmatch(js,"function[\r\n%s]+(%w+)[\r\n%s]-%([^%)]-%)[\r\n%s]-(%b{})") do
250 |             function_table[fname]=f
251 |         end 
252 |         for i, v in pairs(function_table) do 
253 |             _,_,remove_button_function = string.find(v,"app.removeToolButton[\r\n%s]-%((%b{})")
254 |             if remove_button_function ~= nil then
255 |                 _,_,removecname = string.find(remove_button_function,"cName[\r\n%s]-:[\r\n%s]-([^\r\n%s,%}]+)")
256 |                 for add_button in string.gmatch(js,"app.addToolButton[\r\n%s]-%([\r\n%s]-(%b{})") do
257 |                     if string.find(add_button,"cName[\r\n%s]-:[\r\n%s]-"..removecname) ~= nil then
258 |                         _,_,enablefunc = string.find(add_button,"cEnable[\r\n%s]-:[\r\n%s]-([^\r\n%s%,%}%(]+)")
259 |                         if function_table[enablefunc] ~= nil then
260 |                              fnd = string.find(function_table[enablefunc],"cEnable[\r\n%s]-:[\r\n%s]-"..i)
261 |                              if fnd ~= nil then
262 |                                  if verbose == 1 then
263 |                                      print("Found CVE-2013-3346")
264 |                                      ret = 1
265 |                                  else
266 |                                      return 1
267 |                                  end
268 |                              end
269 |                         end
270 |                     end
271 |                 end
272 |             end
273 |         end
274 |         local cexec = nil
275 |         local button_name = nil
276 |         for add_button in string.gmatch(js,"app.addToolButton[\r\n%s]-%([\r\n%s]-(%b{})") do
277 |            print(add_button)
278 |             _,_,cname = string.find(add_button,"cName[\r\n%s]-:[\r\n%s]-([^\r\n%s%,%}%(]+)")
279 |             if cname ~= nil and string.find(add_button,"cExec[\r\n%s]-:.-app.removeToolButton[\r\n%s]-%("..cname.."[\r\n%s]-%)") ~= nil then
280 |                 if verbose == 1 then
281 |                     print("Found CVE-2013-3346")
282 |                     ret = 1
283 |                 else
284 |                     return 1
285 |                 end
286 |             end
287 |          end
288 |     end
289 |     
290 | ----[[    _,_,fnd = string.find(js,"return%([\r%s]-[\034\039]([a-zA-Z0-9%+]-)[\034\039]")
291 |     if fnd ~= nil and string.len(fnd) > 512 then
292 |         if verbose == 1 then
293 |             print("Suspicous: Found return of static hex string longer than 512 chars")
294 |             ret = 1
295 |         else
296 |             return 1
297 |         end
298 |     end
299 | --]]--
300 |     return ret
301 | end
302 | -- Replace this. It is actually a really dumb way to deal with >> in stream data 
303 | function parse_object(obj_data,verbose)
304 |     local stream_data,sstart,send = nil
305 |     local stream_data_final = nil
306 |     local dict_start,dict_end,tag_data = string.find(obj_data,"<<(.*)>>")
307 |     if tag_data ~= nil then
308 |         if string.find(tag_data,">>[\r\n%s%%]*stream[%s\r\n]*") ~= nil then
309 |             _,_,tag_data = string.find(obj_data,"^(.*)>>[\r\n%s%%]*stream[%s\r\n]*",dict_start+2)
310 |             dict_end = dict_start + string.len(tag_data) + 3 
311 |         end
312 |         _,stream_start = string.find(obj_data,"^[\r\n%s%%]*stream[%s\r\n]*",dict_end+1)
313 |         tag_data=(AsciiHexDecodePound(tag_data))        
314 |         if stream_start ~= nil then
315 |             if string.find(tag_data,'FlateDecode') ~= nil and string.find(tag_data,'ObjStm') ~= nil then
316 |                     _,_,offset = string.find(tag_data,'First%s*(%d+)')
317 |                     if offset ~= nil then
318 |                         --print(offset)
319 |                         stream_start = stream_start + offset
320 |                     end
321 |             end 
322 |             local sstart,send,stream_data = string.find(obj_data,"^(.-)\n?endstream",stream_start+1)
323 | 
324 |             --this is a pretty dumb way to deal with this we should parse all Filters and process them in an ordered list but since we only support 2 right now.... 
325 |             if string.find(tag_data,'\047Filter[\r\n%s]-\047FlateDecode') ~= nil or string.find(tag_data,'\047Filter[\r\n%s]-%[[\r\n%s]-\047FlateDecode[\r\n%s]-]') ~= nil then
326 |                 stream_data_final = FlateDecode(stream_data)
327 |             elseif string.find(tag_data,'\047Filter[\r\n%s]-\047ASCIIHexDecode') ~= nil or string.find(tag_data,'\047Filter[\r\n%s]-%[?[\r\n%s]-\047ASCIIHexDecode[\r\n%s]-%]?') ~= nil then
328 |                 stream_data_final = AsciiHexDecode(stream_data)
329 |             elseif string.find(tag_data,'\047Filter[\r\n%s]-%[[\r\n%s]-\047ASCIIHexDecode[\r\n%s]-\047FlateDecode[\r\n%s]-%]') ~= nil then
330 |                 stream_data = AsciiHexDecode(stream_data)
331 |                 stream_data_final = FlateDecode(stream_data)
332 |             elseif string.find(tag_data,'\047Filter[\r\n%s]-%[[\r\n%s]-\047FlateDecode[\r\n%s]-\047ASCIIHexDecode[\r\n%s]-%]') ~= nil then
333 |                 stream_data = FlateDecode(stream_data)
334 |                 stream_data_final = AsciiHexDecode(stream_data)
335 |             else
336 |                 stream_data_final = stream_data
337 |             end
338 |         end
339 |     end
340 | --[[
341 |     if verbose == 1 then
342 |            if tag_data ~= nil then
343 |                print("--obj data--\n" .. tag_data .. "\n--obj data--")
344 |            end
345 |            if stream_data_final ~= nil then
346 |                print("--stream data--\n" .. stream_data_final .. "\n--stream data--")
347 |                print(stream_data_final)
348 |            end
349 |     end
350 | ]]--
351 |     return {tag_data,stream_data_final}
352 | end
353 | 
354 | function populate_objects_table(pdf,pdf_objects_tbl,verbose)
355 |     for obj_num,obj_data in string.gfind(pdf,"\n?(%d+%s+%d+)%s+obj%s*(.-)%s*\n?endobj") do
356 |          pdf_objects_tbl[obj_num]=parse_object(obj_data,verbose)
357 |     end          
358 | end
359 | 
360 | function AsciiHexDecode(t)
361 |   t = string.gsub(t,"%s","")
362 |   local decoded = string.gsub(t,"(%x%x)", function(h) return string.char(tonumber(h,16)) end)
363 |   return decoded
364 | end
365 | 
366 | function FlateDecode(t)
367 |     local stream = lz.inflate()
368 |     stream_data_final, eof, bytes_in, uncompressed_len = stream(t)
369 |     return stream_data_final
370 | end
371 | 
372 | function AsciiHexDecodePound(t)
373 |   local decoded = string.gsub(t,"#(%x%x)",function(h) return string.char(tonumber(h,16)) end)
374 |   return decoded
375 | end
376 | 
377 | function common(t,verbose)
378 |    local ret = 0
379 |    local tret = 0
380 |    pdf_objects_tbl={}
381 |    populate_objects_table(t,pdf_objects_tbl,verbose)
382 |    for k,v in pairs(pdf_objects_tbl) do
383 |        if pdf_objects_tbl[k][1] ~= nil then
384 |            if pdf_objects_tbl[k][2] then 
385 |                tret = cve_2013_2729(tostring(pdf_objects_tbl[k][2]),verbose)
386 |                if tret == 1 then
387 |                    if verbose == 1 then
388 |                        ret = 1
389 |                    else
390 |                        return 1
391 |                    end
392 |                end
393 |                tret = suspicious_string_search(tostring(pdf_objects_tbl[k][2]),verbose)
394 |                if tret == 1 then
395 |                    if verbose == 1 then
396 |                        ret = 1
397 |                    else
398 |                        return 1
399 |                    end
400 |                end
401 |            end
402 |        end
403 |    end
404 |    return ret
405 | end
406 | 
407 | function match(args)
408 |     local t = tostring(args["http.response_body"])
409 |     local o = args["offset"]
410 |     ret=common(t,0)
411 |     return ret 
412 | end
413 | 
414 | function run()
415 |   local f = io.open(arg[1])
416 |   local t = f:read("*all")
417 |   f:close()
418 |   common(t,1)
419 | end
420 | 


--------------------------------------------------------------------------------
/suri-suspicious-jar2.lua:
--------------------------------------------------------------------------------
  1 | --[[
  2 | #*************************************************************
  3 | #  Copyright (c) 2003-2013, Emerging Threats
  4 | #  All rights reserved.
  5 | #  
  6 | #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
  7 | #  following conditions are met:
  8 | #  
  9 | #  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
 10 | #    disclaimer.
 11 | #  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
 12 | #    following disclaimer in the documentation and/or other materials provided with the distribution.
 13 | #  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
 14 | #    from this software without specific prior written permission.
 15 | #  
 16 | #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 17 | #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 18 | #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 19 | #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 20 | #  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 21 | #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 22 | #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 23 | #
 24 | #*************************************************************
 25 | 
 26 | Detection for suspicious Jar files requires lua zip module.
 27 | sudo apt-get install liblua5.1-zip-dev 
 28 | 
 29 | This lua script can be run standalone and verbosely on a Jar file with
 30 | echo "run()" | lua -i <script name> <jar file>
 31 | 
 32 | Chris Wakelin
 33 | Will Metcalf
 34 | --]]
 35 | 
 36 | require("zip")
 37 | -- {strings to match, number of matching strings needed, simple strings, description}
 38 | susp_class = {
 39 |               {"EpgKF3twh",1,true,"Blackhole URL obfuscation string",0},
 40 |               {"ZKM5.4.3",1,true,"Blackhole Zelix obfuscator string",0},
 41 |               {"ZKM%d\046%d\046%dE",1,false,"Zelix obfuscator Eval Version",0},
 42 |               {"/.:_-?&=%#;",1,true,"g01pack obfuscation string",0},
 43 |               {"zoOloloshit","MyPa@yload@.cla@@ss","getololoByName",1,true,"Metasploit based EK",0},
 44 |               {"%zI.........................................................................\1%zI.........................................................................\12",1,false,"possible g01pack obfuscation strings",0},
 45 |               {"DEvuYp",1,true,"Nuclear obfuscation string",0},
 46 |               {"9.-=_/:?&",1,true,"RedKit/Sakura obfuscation string",0},
 47 |               {"yv66v",1,true,"Base-64-encoded class file",0},
 48 |               {"/upload/install_flash_player.",1,true,"Unknown EK Payload Download",0},
 49 |               {"glassfish/gmbal",1,true,"glassfish/gmbal CVE-2012-5076 exploit class file",0},
 50 |               {"jmx/mbeanserver",1,true,"jmx/mbeanserver Java 7u9 exploit class file",0},
 51 |               {"mbeanserver/Introspector",1,true,"mbeanserver/Introspector Java 7u11 exploit class file",0},
 52 |               {'glassfish/external/statistics/impl',1,true,"CVE-2012-5076 2 exploit class file",0},
 53 |               {"management/MBeanServer",1,true,"management/MBeanServer Java 7 exploit class file",0},
 54 |               {'sun.org.mozilla.javascript.internal.Context','sun.org.mozilla.javascript.internal.GeneratedClassLoader',2,true,"Mozilla JS Class Creation Used in Various Exploits",0},
 55 |               {"SunToolkit", "getField","forName","setSecurityManager","execute",5,true,"CVE-2012-4681 Metasploit and others",0},
 56 |               {"AtomicReferenceArray","ProtectionDomain","AllPermission","defineClass","newInstance",5,true,"BH CVE-2012-0507 Metasploit and Others",0},
 57 |               {'java/awt/color/ColorSpace','BufferedImage','StackTrace',3,true,"CVE-2013-1493 exploit",0},
 58 |               {"f428e4e8",1,true,"Blackhole obfuscated class file",0},
 59 |               {"CAFEBABE",1,true,"Hex-encoded class file",0},
 60 |               {"[Cc].?.?.?[Aa].?.?.?[Ff].?.?.?[Ee].?.?.?[Bb].?.?.?[Aa].?.?.?[Bb].?.?.?[Ee]",1,false,"Hex-encoded class file (possibly obfuscated)",0},
 61 |               {"F-Abr-rb",1,true,"Cool EK/SofosFO encoded class file",0},
 62 |               {'fuck','Payload','java.security.AllPermission','AtomicReferenceArray',4,true,"Blackhole Atomic Reference Array exploit",0},
 63 |               {'invokeWithArguments','invoke/MethodHandle','invoke/MethodType','forName',4,true,"CVE-2012-5088 exploit class file",0},
 64 |               {'wnin.frphevgl',1,true,"rot13-encoded class name",0},
 65 |               {"reflect/Field","invoke/MethodHandle","invokeExact","findStaticSetter",3,true,"CVE-2013-2423",0},
 66 |               {"etSecurityManager",1,true,"[gs]etSecurityManager www.fireeye.com/blog/technical/2013/06/get-set-null-java-security.html",0},
 67 |               {"jdbc:msf:sql://",1,true,"CVE-2013-1488 Metasploit",0},
 68 |               {"reganaMytiruceS",1,true,"SecurityManger reversed PrivatePack June 27 2013",0},
 69 |               {"tracing/ProviderFactory",1,true,"CVE-2013-2460",0},
 70 |               {"java/security/ProtectionDomain",1,true,"Generic java/security/ProtectionDomain (Observed in Styx)",0},
 71 |               {"isableSecurity",1,true,"Generic [Dd]isableSecurity (Observed in Styx)",0},
 72 |               {"java/awt/image","Raster","SampleModel",3,true,"Classes used in awt exploits",0},
 73 |               {"java/awt/image/SinglePixelPacked",1,true,"CVE-2013-2471/2472/2473",0},
 74 |               {"java/awt/image/MultiPixelPacked",1,true,"CVE-2013-2465/2463",0},
 75 |               {"what the fuck for v",1,true,"CK EK http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/",0},
 76 |               {"I\008mg\027Y\014Wv\001a\029Pc\031I\014",1,true,"GonDadEK etSecurityManager with static XOR key http://www.kahusecurity.com/2013/chinese-exploit-pack-updated/",0},
 77 |               {"javafx/application/Preloader","javafx/stage/Stage","javafx/application/Application",3,true,"Java7u21 Click2play Bypass http://seclists.org/bugtraq/2013/Jul/41 ???",0}, 
 78 |               {"[cC][Mm][dD]\046[Ee][Xx][Ee]%s/[Cc]",1,false,"cmd.exe /c as seen in IceFog/SplinterRat",0},
 79 |               {"\092[Ss][Oo][Ff][Tt][Ww][Aa][Rr][Ee]\092[Mm][Ii][Cc][Rr][Oo][Ss][Oo][Ff][Tt]\092[Ww][Ii][Nn][Dd][Oo][Ww][Ss]\092[Cc][Uu][Rr][Rr][Ee][Nn][Tt][Vv][Ee][Rr][Ss][Ii][Oo][Nn]\092[Rr][Uu][Nn]",1,false,"Access to windows Run key",0},
 80 |               {"this url is error","xor","randGen","numbersAndLetters",4,true,"Operation Poisoned Helmand http://www.threatconnect.com/news/operation-poisoned-helmand/",0},
 81 |               {"FuddedByPORNCORE",1,true,"Unknown EK",0},
 82 |              }
 83 | 
 84 | obfus_strings = {
 85 | }
 86 | function init (args)
 87 |     local needs = {}
 88 |     needs["http.response_body"] = tostring(true)
 89 |     return needs
 90 | end
 91 | 
 92 | function match_strings(a,match_set,verbose)
 93 |     local rtn = 0
 94 |     local n,m
 95 |     local num_strings = #match_set - 4 
 96 |     
 97 |     local match_num = match_set[num_strings+1]
 98 |     local plain = match_set[num_strings+2]
 99 |     local desc = match_set[num_strings+3]
100 |     local fnd
101 |     
102 |     for n = 1, num_strings, 1 do
103 |         m = match_set[n]
104 |         if m ~= 0 then
105 |             fnd = string.find(a,m,1,plain)
106 |             if fnd then
107 |                 match_set[num_strings+4] = match_set[num_strings+4] + 1
108 |                 if verbose == 1 then print("Found String " .. m .. " " .. match_set[num_strings+4] .. " of " .. match_num) end
109 |                 --match_set[num_strings+4] is our counter
110 |                 if match_set[num_strings+4] == match_num then
111 |                     if verbose == 1 then print("Found " .. desc) end
112 |                     match_set[n] = 0
113 |                     rtn = 1
114 |                     break
115 |                 else
116 |                     --Found lets zero it out so we don't check again
117 |                     match_set[n] = 0
118 |                 end
119 |            end
120 |         end
121 |     end
122 |     return rtn
123 | end
124 | 
125 | function xor_bin_check (a,verbose)
126 |     if #a < 1024 then
127 |        return 0
128 |     end
129 | 
130 |     local bit = require("bit")
131 | 
132 |     local pe = a:byte(0x3c+1) + (256*a:byte(0x3c+2))
133 |     local key = {}
134 |     local i, l, n, key_lengths, offset, koffset, zeroes
135 | 
136 |     if (pe < 4096) then
137 |         if a:byte(pe+1) == string.byte('P') and
138 |            a:byte(pe+2) == string.byte('E') and
139 |            a:byte(pe+3) == 0 and
140 |            a:byte(pe+4) == 0 then
141 |             if (verbose==1) then print('Found PE32 executable') end
142 |             return 0
143 |         end
144 |     end
145 | 
146 |     key_lengths = {4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24}
147 | 
148 |     for n, l in pairs(key_lengths) do
149 |         zeroes = 0x30;
150 |         if (l > 12) then zeroes = 0x28; end
151 |         if (l > 20) then zeroes = 0x20; end
152 | 
153 |         koffset = ((l-(zeroes % l)) % l)
154 | 
155 |         for i = 0, l-1, 1 do
156 |            key[i+1] = a:byte(zeroes+1+((i+koffset) % l))
157 |         end
158 |         
159 | 
160 |         pe = bit.bxor(a:byte(0x3c+1), key[1+(0x3c % l)]) + (256*bit.bxor(a:byte(0x3c+2), key[1+((0x3c+1) % l)]))
161 |         if verbose==1 then print("Trying " .. l .. "-byte XOR key; PE block at " .. pe) end
162 |         if (pe < 4096) then
163 |             offset = pe % l
164 |             if a:byte(pe+4) ~= nil and key[((3+offset)%l)+1] ~= nil then
165 |                 if (bit.bxor(a:byte(pe+1), key[offset+1]) == string.byte('P')) and 
166 |                    (bit.bxor(a:byte(pe+2), key[((1+offset)%l)+1]) == string.byte('E')) and
167 |                    (bit.bxor(a:byte(pe+3), key[((2+offset)%l)+1]) == 0) and
168 |                    (bit.bxor(a:byte(pe+4), key[((3+offset)%l)+1]) == 0) then
169 |                    if verbose==1 then print("Found " .. l .. "-byte XOR key; PE block at " .. pe) end
170 |                      return 1
171 |                 end
172 |             end
173 |         end
174 |     end
175 | 
176 |     return 0
177 | end
178 | 
179 | function xor_class_check (a,verbose)
180 |     if #a < 1024 then
181 |        return 0
182 |     end
183 |     local bit = require("bit")
184 |     local k = bit.bxor(a:byte(1), 0xca) 
185 |     if k ~= 0 then
186 |         if (bit.bxor(a:byte(2), k) == 0xfe) and
187 |            (bit.bxor(a:byte(3), k) == 0xba) and
188 |            (bit.bxor(a:byte(4), k) == 0xbe) then
189 |             if (verbose==1) then print('Found class file XORed with ' .. k) end
190 |             return 1
191 |         end
192 |     end
193 |     return 0
194 | end
195 | 
196 | function common(t,verbose)
197 | 
198 |     rtn = 0
199 | 
200 |     -- tmpfs setup should be faster
201 |     -- mkdir -p /home/suricata/scratch  && sudo mount -t tmpfs -o size=1G,mode=0700 tmpfs /home/suricata/scratch && sudo chown suricata:suricata /home/suricata/scratch/
202 |     -- tmpname = "/home/suricata/scratch/eviljars." .. tostring(os.time()) .. "." .. tostring(math.random(2000000,9000000))
203 |     tmpname = os.tmpname()
204 | 
205 |     tmp = io.open(tmpname,'w')
206 |     tmp:write(t)
207 |     tmp:close()
208 | 
209 |     z = zip.open(tmpname)
210 | 
211 |     if z then 
212 |         for w in z:files() do
213 |             f = z:open(w.filename);
214 |             u = f:read("*all")
215 |             f:close()
216 |             if (verbose==1) then print("Checking " .. w.filename) end
217 |             if (string.sub(u,1,4) == "\202\254\186\190" or string.sub(u,1,2) == "\172\237") then -- CAFEBABE or ACED in decimal
218 |                 for l,s in pairs(susp_class) do
219 |                     if (verbose==1) then print("Looking for " .. s[#s-1] .. " in ".. w.filename) end
220 |                     if match_strings(u,s,verbose) == 1 then
221 |                         rtn = 1
222 |                         if (verbose == 0) then
223 |                            break
224 |                         end
225 |                     end
226 |                 end
227 |                 
228 |             else 
229 | 
230 | --- Not a class file - see if it is some form of EXE
231 | 
232 | --- SPL obfuscated EXE - XOR key
233 |                 fnd = string.find(u,"\201\203\195\162\145",1,true)
234 |                 if fnd then
235 |                     rtn = 1
236 |                     if (verbose==1) then
237 |                         print('Found SPL 5-byte XOR key in ' .. w.filename)
238 |                     else
239 |                         break
240 |                     end
241 |                 end
242 | -- CAFEBABE backwards at end of file
243 |                 if string.sub(u,#u-3) == "\190\186\254\202" then
244 |                     rtn = 1
245 |                     if (verbose==1) then
246 |                         print('Found reversed class file in ' .. w.filename)
247 |                     else
248 |                         break
249 |                     end
250 |                 end
251 | -- CAFEBABE XORed with single byte as found in Styx; can't be XORed with 0 or we wouldn't be here
252 |                 if xor_class_check(u,verbose) == 1 then
253 |                     rtn = 1
254 |                     if (verbose==1) then
255 |                         print('Found XORed class file in ' .. w.filename)
256 |                     else
257 |                         break
258 |                     end
259 |                 end
260 | -- Stolen GoDaddy certificate Serial number 2b:73:43:2a:a8:4f:44
261 |                 fnd = string.find(u,"\43\115\67\42\168\79\68",1,true) 
262 |                 if fnd then
263 |                     rtn = 1
264 |                     if (verbose==1) then
265 |                         print('Found Stolen GoDaddy CLEARESULT certificate in ' .. w.filename)
266 |                     else
267 |                         break
268 |                     end
269 |                 end
270 | -- Zupionic Kurz Instruments 
271 |                 fnd = string.find(u,"\085\004\003\019\022Kurz Instruments, Inc.",1,true)
272 |                 if fnd then
273 |                     rtn = 1
274 |                     if (verbose==1) then
275 |                         print('Likely Stolen Kurz Cert found in ' .. w.filename .. ' http://malwageddon.blogspot.fi/2013/06/zuponcic-is-it-bird-is-it-plane-no-its.html')
276 |                     else
277 |                         break
278 |                     end
279 |                 end
280 | -- R P Infosystems Instruments 
281 |                 fnd = string.find(u,"\085\004\003..R P Infosystems Pvt Ltd")
282 |                 if fnd then
283 |                     rtn = 1
284 |                     if (verbose==1) then
285 |                         print('Likely Stolen R P Infosystems Cert found in ' .. w.filename .. ' http://malwageddon.blogspot.fi/2013/06/zuponcic-is-it-bird-is-it-plane-no-its.html')
286 |                     else
287 |                         break
288 |                     end
289 |                 end
290 | 
291 | -- Zupionic iLoq Oy 
292 |                 fnd = string.find(u,"\085\004\003..iLoq Oy")
293 |                 if fnd then
294 |                     rtn = 1
295 |                     if (verbose==1) then
296 |                         print('Likely Stolen iLoq Oy Cert found in ' .. w.filename .. ' http://malwageddon.blogspot.fi/2013/06/zuponcic-is-it-bird-is-it-plane-no-its.html')
297 |                     else
298 |                         break
299 |                     end
300 |                 end
301 | -- Zupionic Queens University 
302 |                 fnd = string.find(u,"\085\004\003..Queen\039s University")
303 |                 if fnd then
304 |                     rtn = 1
305 |                     if (verbose==1) then
306 |                         print('Likely Stolen Queens University Cert found in ' .. w.filename .. ' http://malwageddon.blogspot.fi/2013/06/zuponcic-is-it-bird-is-it-plane-no-its.html')
307 |                     else
308 |                         break
309 |                     end
310 |                 end
311 | -- Bitcoin Self Signed Leading to CyberGate 
312 |                 fnd = string.find(u,"\085\004\003\019\013James Patrick",1,true)
313 |                 if fnd then
314 |                     rtn = 1
315 |                     if (verbose==1) then
316 |                         print('Found BitCoin to CyberGate Cert James Patrick' .. w.filename)
317 |                     else
318 |                         break
319 |                     end
320 |                 end
321 | -- Icefog Cert
322 |                 fnd = string.find(u,"\085\029\017\004\025\048\023\129\021admin@warmestsoft.net",1,true)
323 |                 if fnd then
324 |                     rtn = 1
325 |                     if (verbose==1) then
326 |                         print('Found IceFog COMODO Cert' .. w.filename)
327 |                     else
328 |                         break
329 |                     end
330 |                 end
331 | 
332 | -- Registry File
333 |                 if (string.sub(u,1,8) == "REGEDIT4" or string.sub(u,1,8) == "REGEDIT5" or string.sub(u,1,23) == "Windows Registry Editor") then
334 |                     rtn = 1
335 |                     if (verbose==1) then
336 |                         print('Registry File Found in ' .. w.filename)
337 |                     else
338 |                         break
339 |                     end
340 |                 end
341 | -- XORed PE32 Executable
342 |                 if xor_bin_check(u,verbose) == 1 then
343 |                     rtn = 1
344 |                     if (verbose==1) then
345 |                         print('Found possibly XORed PE32 executable in ' .. w.filename) 
346 |                     else
347 |                         break
348 |                     end
349 |                 end
350 |             end
351 |             if (rtn == 1) and (verbose == 0) then
352 |                 break
353 |             end
354 |         end
355 |         z:close()
356 |     end
357 |     os.remove(tmpname)
358 |     return rtn
359 | end
360 | 
361 | -- return match via table
362 | function match(args)
363 |     local t = tostring(args["http.response_body"])
364 |     return common(t,0)
365 | end
366 | 
367 | function run()
368 |   local f = io.open(arg[1])
369 |   local t = f:read("*all")
370 |   f:close()
371 |   if common(t,1) == 1 then print("Found Suspicious String in " .. arg[1]) end
372 | end
373 | 
374 | 


--------------------------------------------------------------------------------
/dyndomains-only.txt:
--------------------------------------------------------------------------------
   1 | flashserv.net
   2 | xns01.com
   3 | dnsdynamic.net
   4 | dnsget.org
   5 | proxy8080.com
   6 | mysq1.net
   7 | http01.com
   8 | ssh01.com
   9 | user32.com
  10 | ttl60.com
  11 | ddns01.com
  12 | fe100.net
  13 | imap01.com
  14 | craftx.biz
  15 | ns360.info
  16 | ttl60.org
  17 | x64.me
  18 | tempors.com
  19 | https443.com
  20 | tftpd.net
  21 | wow64.net
  22 | dnsapi.info
  23 | kadm5.com
  24 | voip01.com
  25 | ssh22.net
  26 | ftp21.net
  27 | ntdll.net
  28 | dns53.biz
  29 | dnsd.info
  30 | sql01.com
  31 | ole32.com
  32 | adultdns.net
  33 | http80.info
  34 | ####no-ip#####
  35 | blogsyte.com
  36 | brasilia.me
  37 | cable-modem.org
  38 | ciscofreak.com
  39 | collegefan.org
  40 | couchpotatofries.org
  41 | damnserver.com
  42 | ddns.me
  43 | ditchyourip.com
  44 | dnsfor.me
  45 | dnsiskinky.com
  46 | dvrcam.info
  47 | dynns.com
  48 | eating-organic.net
  49 | fantasyleague.cc
  50 | geekgalaxy.com
  51 | golffan.us
  52 | health-carereform.com
  53 | homesecuritymac.com
  54 | homesecuritypc.com
  55 | hopto.me
  56 | ilovecollege.info
  57 | loginto.me
  58 | mlbfan.org
  59 | mmafan.biz
  60 | myactivedirectory.com
  61 | mydissent.net
  62 | myeffect.net
  63 | mymediapc.net
  64 | mypsx.net
  65 | mysecuritycamera.com
  66 | mysecuritycamera.net
  67 | mysecuritycamera.org
  68 | net-freaks.com
  69 | nflfan.org
  70 | nhlfan.net
  71 | no-ip.ca
  72 | no-ip.co.uk
  73 | no-ip.net
  74 | noip.us
  75 | pgafan.net
  76 | point2this.com
  77 | pointto.us
  78 | privatizehealthinsurance.net
  79 | quicksytes.com
  80 | read-books.org
  81 | securityexploits.com
  82 | securitytactics.com
  83 | serveexchange.com
  84 | servehumour.com
  85 | servep2p.com
  86 | servesarcasm.com
  87 | stufftoread.com
  88 | ufcfan.org
  89 | unusualperson.com
  90 | workisboring.com
  91 | 3utilities.com
  92 | bounceme.net
  93 | ddns.net
  94 | ddnsking.com
  95 | gotdns.ch
  96 | hopto.org
  97 | myftp.biz
  98 | myftp.org
  99 | myvnc.com
 100 | no-ip.biz
 101 | no-ip.info
 102 | no-ip.org
 103 | noip.me
 104 | redirectme.net
 105 | servebeer.com
 106 | serveblog.net
 107 | servecounterstrike.com
 108 | serveftp.com
 109 | servegame.com
 110 | servehalflife.com
 111 | servehttp.com
 112 | serveminecraft.net
 113 | servemp3.com
 114 | servepics.com
 115 | servequake.com
 116 | sytes.net
 117 | webhop.me
 118 | zapto.org
 119 | ####dyn.com#####
 120 | at-band-camp.net
 121 | barrel-of-knowledge.info
 122 | barrell-of-knowledge.info
 123 | better-than.tv
 124 | blogdns.com
 125 | blogdns.net
 126 | blogdns.org
 127 | blogsite.org
 128 | boldlygoingnowhere.org
 129 | broke-it.net
 130 | buyshouses.net
 131 | cechire.com
 132 | dnsalias.com
 133 | dnsalias.net
 134 | dnsalias.org
 135 | dnsdojo.com
 136 | dnsdojo.net
 137 | dnsdojo.org
 138 | does-it.net
 139 | doesntexist.com
 140 | doesntexist.org
 141 | dontexist.com
 142 | dontexist.net
 143 | dontexist.org
 144 | doomdns.com
 145 | doomdns.org
 146 | dvrdns.org
 147 | dyn-o-saur.com
 148 | dynalias.com
 149 | dynalias.net
 150 | dynalias.org
 151 | dynathome.net
 152 | dyndns-at-home.com
 153 | dyndns-at-work.com
 154 | dyndns-blog.com
 155 | dyndns-free.com
 156 | dyndns-home.com
 157 | dyndns-ip.com
 158 | dyndns-mail.com
 159 | dyndns-office.com
 160 | dyndns-pics.com
 161 | dyndns-remote.com
 162 | dyndns-server.com
 163 | dyndns-web.com
 164 | dyndns-wiki.com
 165 | dyndns-work.com
 166 | dyndns.biz
 167 | dyndns.info
 168 | dyndns.org
 169 | dyndns.tv
 170 | dyndns.ws
 171 | endofinternet.net
 172 | endofinternet.org
 173 | endoftheinternet.org
 174 | est-a-la-maison.com
 175 | est-a-la-masion.com
 176 | est-le-patron.com
 177 | est-mon-blogueur.com
 178 | for-better.biz
 179 | for-more.biz
 180 | for-our.info
 181 | for-some.biz
 182 | for-the.biz
 183 | forgot.her.name
 184 | forgot.his.name
 185 | from-ak.com
 186 | from-al.com
 187 | from-ar.com
 188 | from-az.net
 189 | from-ca.com
 190 | from-co.net
 191 | from-ct.com
 192 | from-dc.com
 193 | from-de.com
 194 | from-fl.com
 195 | from-ga.com
 196 | from-hi.com
 197 | from-ia.com
 198 | from-id.com
 199 | from-il.com
 200 | from-in.com
 201 | from-ks.com
 202 | from-ky.com
 203 | from-la.net
 204 | from-ma.com
 205 | from-md.com
 206 | from-me.org
 207 | from-mi.com
 208 | from-mn.com
 209 | from-mo.com
 210 | from-ms.com
 211 | from-mt.com
 212 | from-nc.com
 213 | from-nd.com
 214 | from-ne.com
 215 | from-nh.com
 216 | from-nj.com
 217 | from-nm.com
 218 | from-nv.com
 219 | from-ny.net
 220 | from-oh.com
 221 | from-ok.com
 222 | from-or.com
 223 | from-pa.com
 224 | from-pr.com
 225 | from-ri.com
 226 | from-sc.com
 227 | from-sd.com
 228 | from-tn.com
 229 | from-tx.com
 230 | from-ut.com
 231 | from-va.com
 232 | from-vt.com
 233 | from-wa.com
 234 | from-wi.com
 235 | from-wv.com
 236 | from-wy.com
 237 | ftpaccess.cc
 238 | fuettertdasnetz.de
 239 | game-host.org
 240 | game-server.cc
 241 | getmyip.com
 242 | gets-it.net
 243 | go.dyndns.org
 244 | gotdns.com
 245 | gotdns.org
 246 | groks-the.info
 247 | groks-this.info
 248 | ham-radio-op.net
 249 | here-for-more.info
 250 | hobby-site.com
 251 | hobby-site.org
 252 | home.dyndns.org
 253 | homedns.org
 254 | homeftp.net
 255 | homeftp.org
 256 | homeip.net
 257 | homelinux.com
 258 | homelinux.net
 259 | homelinux.org
 260 | homeunix.com
 261 | homeunix.net
 262 | homeunix.org
 263 | iamallama.com
 264 | in-the-band.net
 265 | is-a-anarchist.com
 266 | is-a-blogger.com
 267 | is-a-bookkeeper.com
 268 | is-a-bruinsfan.org
 269 | is-a-bulls-fan.com
 270 | is-a-candidate.org
 271 | is-a-caterer.com
 272 | is-a-celticsfan.org
 273 | is-a-chef.com
 274 | is-a-chef.net
 275 | is-a-chef.org
 276 | is-a-conservative.com
 277 | is-a-cpa.com
 278 | is-a-cubicle-slave.com
 279 | is-a-democrat.com
 280 | is-a-designer.com
 281 | is-a-doctor.com
 282 | is-a-financialadvisor.com
 283 | is-a-geek.com
 284 | is-a-geek.net
 285 | is-a-geek.org
 286 | is-a-green.com
 287 | is-a-guru.com
 288 | is-a-hard-worker.com
 289 | is-a-hunter.com
 290 | is-a-knight.org
 291 | is-a-landscaper.com
 292 | is-a-lawyer.com
 293 | is-a-liberal.com
 294 | is-a-libertarian.com
 295 | is-a-linux-user.org
 296 | is-a-llama.com
 297 | is-a-musician.com
 298 | is-a-nascarfan.com
 299 | is-a-nurse.com
 300 | is-a-painter.com
 301 | is-a-patsfan.org
 302 | is-a-personaltrainer.com
 303 | is-a-photographer.com
 304 | is-a-player.com
 305 | is-a-republican.com
 306 | is-a-rockstar.com
 307 | is-a-socialist.com
 308 | is-a-soxfan.org
 309 | is-a-student.com
 310 | is-a-teacher.com
 311 | is-a-techie.com
 312 | is-a-therapist.com
 313 | is-an-accountant.com
 314 | is-an-actor.com
 315 | is-an-actress.com
 316 | is-an-anarchist.com
 317 | is-an-artist.com
 318 | is-an-engineer.com
 319 | is-an-entertainer.com
 320 | is-by.us
 321 | is-certified.com
 322 | is-found.org
 323 | is-gone.com
 324 | is-into-anime.com
 325 | is-into-cars.com
 326 | is-into-cartoons.com
 327 | is-into-games.com
 328 | is-leet.com
 329 | is-lost.org
 330 | is-not-certified.com
 331 | is-saved.org
 332 | is-slick.com
 333 | is-uberleet.com
 334 | is-very-bad.org
 335 | is-very-evil.org
 336 | is-very-good.org
 337 | is-very-nice.org
 338 | is-very-sweet.org
 339 | is-with-theband.com
 340 | isa-geek.com
 341 | isa-geek.net
 342 | isa-geek.org
 343 | isa-hockeynut.com
 344 | issmarterthanyou.com
 345 | isteingeek.de
 346 | istmein.de
 347 | kicks-ass.net
 348 | kicks-ass.org
 349 | knowsitall.info
 350 | land-4-sale.us
 351 | lebtimnetz.de
 352 | leitungsen.de
 353 | likes-pie.com
 354 | likescandy.com
 355 | merseine.nu
 356 | mine.nu
 357 | misconfused.org
 358 | mypets.ws
 359 | myphotos.cc
 360 | neat-url.com
 361 | office-on-the.net
 362 | on-the-web.tv
 363 | podzone.net
 364 | podzone.org
 365 | readmyblog.org
 366 | saves-the-whales.com
 367 | scrapper-site.net
 368 | scrapping.cc
 369 | selfip.biz
 370 | selfip.com
 371 | selfip.info
 372 | selfip.net
 373 | selfip.org
 374 | sells-for-less.com
 375 | sells-for-u.com
 376 | sells-it.net
 377 | sellsyourhome.org
 378 | servebbs.com
 379 | servebbs.net
 380 | servebbs.org
 381 | serveftp.net
 382 | serveftp.org
 383 | servegame.org
 384 | shacknet.nu
 385 | simple-url.com
 386 | space-to-rent.com
 387 | stuff-4-sale.org
 388 | stuff-4-sale.us
 389 | teaches-yoga.com
 390 | thruhere.net
 391 | traeumtgerade.de
 392 | webhop.biz
 393 | webhop.info
 394 | webhop.net
 395 | webhop.org
 396 | worse-than.tv
 397 | writesthisblog.com
 398 | ####dnsexit####
 399 | publicvm.com
 400 | linkpc.net
 401 | ####afraid1####
 402 | mooo.com
 403 | chickenkiller.com
 404 | us.to
 405 | strangled.net
 406 | ignorelist.com
 407 | uk.to
 408 | crabdance.com
 409 | info.tm
 410 | homenet.org
 411 | jumpingcrab.com
 412 | twilightparadox.com
 413 | biz.tm
 414 | continent.kz
 415 | yao.cl
 416 | ax.lt
 417 | privatedns.org
 418 | hacked.jp
 419 | ftp.sh
 420 | now.im
 421 | bep.co.id
 422 | undo.it
 423 | bot.nu
 424 | kalbas.com.vn
 425 | qc.to
 426 | 3dxtras.com
 427 | pwnz.org
 428 | mine.bz
 429 | dynet.com
 430 | info.gf
 431 | my.to
 432 | allowed.org
 433 | god.jp
 434 | home.kg
 435 | shop.tm
 436 | ro.lt
 437 | t28.net
 438 | minecraftnoob.com
 439 | 69.mu
 440 | spacetechnology.net
 441 | gw.lt
 442 | root.sx
 443 | nx.tc
 444 | k.vu
 445 | mooo.info
 446 | farted.net
 447 | minecraftr.us
 448 | port0.org
 449 | happyforever.com
 450 | cr.rs
 451 | bigbox.info
 452 | 1337.cx
 453 | evils.in
 454 | csproject.org
 455 | verymad.net
 456 | fr.to
 457 | serverpit.com
 458 | vr.lt
 459 | punked.us
 460 | suka.se
 461 | h4ck.me
 462 | soon.it
 463 | thcgirls.com
 464 | iz.rs
 465 | madhacker.biz
 466 | fedea.com.ar
 467 | icfar.com
 468 | r-o-o-t.net
 469 | 404.mn
 470 | kir22.ru
 471 | byte4byte.com
 472 | 120v.ac
 473 | d-n-s.name
 474 | h-o-s-t.name
 475 | psybnc.org
 476 | zanity.net
 477 | hashcube.com
 478 | ohbah.com
 479 | 24-7.ro
 480 | mm.my
 481 | iiiii.info
 482 | abuser.eu
 483 | star.is
 484 | epicgamer.org
 485 | vietnam.ro
 486 | hackquest.com
 487 | photo-frame.com
 488 | iminecraft.se
 489 | oo.fi
 490 | javafaq.nu
 491 | bestforever.com
 492 | antongorbunov.com
 493 | agropeople.ru
 494 | psp-moscow.com
 495 | crackedsidewalks.com
 496 | eye.rs
 497 | silksky.com
 498 | drunkensailor.org
 499 | stfu-kthx.net
 500 | fol.cl
 501 | baltijalv.lv
 502 | ####afraid2####
 503 | bad.mn
 504 | hpc.tw
 505 | nard.ca
 506 | coalnet.ru
 507 | bagus.org
 508 | xpresit.net
 509 | zvezdaringa.ru
 510 | colegiotamandare.g12.br
 511 | holylandshop.ru
 512 | homelinuxserver.org
 513 | violates.us
 514 | starkom.ru
 515 | pntl.tl
 516 | dearabba.org
 517 | airlinemeals.net
 518 | zonet.us
 519 | malam.or.id
 520 | sektori.org
 521 | freesa.org
 522 | mindhackers.org
 523 | play.ai
 524 | qq.my
 525 | joiavip.com.br
 526 | vivat-consult.ru
 527 | oganilirkab.go.id
 528 | kopi.co.id
 529 | medicost.org
 530 | i-t.me
 531 | routemehome.com
 532 | good.one.pl
 533 | playop.net
 534 | all.my
 535 | possessed.us
 536 | nav.co.id
 537 | surfnet.ca
 538 | awiki.org
 539 | fairuse.org
 540 | pce-cihazlari.com.tr
 541 | violates.me
 542 | amurt.org.uk
 543 | 3n.cc
 544 | asenov.ru
 545 | funkar.nu
 546 | hs.vc
 547 | allisons.org
 548 | empresastaylor.com
 549 | giveawaylisting.com
 550 | novgaz-rzn.ru
 551 | fatdiary.org
 552 | india.sh
 553 | oneindonesia.co.id
 554 | mikata.ru
 555 | n-e-t.name
 556 | host2go.net
 557 | hiddencorner.org
 558 | zsh.jp
 559 | inflict.us
 560 | quannhacvang.com
 561 | dhm.ro
 562 | maluwilz.lv
 563 | remoteaccess.me
 564 | vankin.de
 565 | raspberryip.com
 566 | krash.net
 567 | z86.ru
 568 | erki.net
 569 | joe.dj
 570 | tacowolf.com
 571 | cpia.org.ar
 572 | netlord.de
 573 | cnstefancelmare.ro
 574 | hmao.pro
 575 | php-dev.net
 576 | webs.vc
 577 | bobcentury.com
 578 | computersforpeace.net
 579 | 688.org
 580 | richlorenz.com
 581 | tzafrir.org.il
 582 | galipan.net.ve
 583 | h0stname.net
 584 | ddos.im
 585 | inedelya.ru
 586 | vkagent.ru
 587 | cloudwatch.net
 588 | sdp-mos.ru
 589 | takeshi.cnt.br
 590 | floripalondon.com
 591 | orenznakomstva.ru
 592 | 2fine.de
 593 | 4040.idv.tw
 594 | photo-cult.com
 595 | winkel.com.ar
 596 | juliacake.com.vn
 597 | eva.hk
 598 | k22.su
 599 | tetuku.com
 600 | ananda.net.ve
 601 | d-n-s.org.uk
 602 | blinklab.com
 603 | ####afraid3####
 604 | pii.at
 605 | e-data.com.tr
 606 | tragazorras.com
 607 | golf-club.ro
 608 | savage.nu
 609 | your.my.id
 610 | nashvillerollergirls.com
 611 | 49b.uk
 612 | stalker.fi
 613 | uzid.com
 614 | doskapozora.com
 615 | bloom.us
 616 | smbb.ws
 617 | stes.fi
 618 | mysaol.com
 619 | tanah-aina.com
 620 | wiki.gd
 621 | celebsplay.com
 622 | statescasinos.com
 623 | stroyexpert.org
 624 | ruok.org
 625 | id.web.id
 626 | openoffcampus.com
 627 | bnpt.go.id
 628 | forss.to
 629 | ixx.io
 630 | mcsoft.org
 631 | surak.kz
 632 | 0x.no
 633 | makny.us
 634 | whyboner.com
 635 | ask2ask.com
 636 | servernux.com
 637 | blizzie.net
 638 | stan.cn
 639 | l5.ca
 640 | good-newz.org
 641 | dmtr.ru
 642 | aspserver.net
 643 | thevaughts.net
 644 | uk.ms
 645 | opensrc.mx
 646 | dalk.ru
 647 | chebicon.ru
 648 | yngling.com
 649 | stocktester.ru
 650 | nedvighimost-sochi.ru
 651 | 2p.fm
 652 | americajhon.com.pe
 653 | kck-saratov.ru
 654 | piki.si
 655 | benjamin.it
 656 | 4twenty.us
 657 | erke.biz.tr
 658 | sextube.ro
 659 | ddanciu.ro
 660 | lex.mn
 661 | mychild.ug
 662 | megamovs.com
 663 | custom-gaming.net
 664 | cda.md
 665 | rbb.org
 666 | sumibi.org
 667 | hmail.us
 668 | ipv6.la
 669 | thegmc.com
 670 | ig42.org
 671 | anonymous.lv
 672 | dagz.ru
 673 | istanbulsafak.com
 674 | ormy.ru
 675 | ganino.com
 676 | cw03.ru
 677 | lovethosetrains.com
 678 | qualirede.com.br
 679 | xxxxx.tw
 680 | optimas.co.id
 681 | dyn.ch
 682 | oldrussianmagic.com
 683 | hbmc.net
 684 | cys.ru
 685 | kyrgyzstan.kg
 686 | nevalain.ru
 687 | philipkingsleyshop.ru
 688 | darknigger.com
 689 | sne.jp
 690 | dob.jp
 691 | ghostnation.org
 692 | beerprojects.com
 693 | womenclothingtoday.com
 694 | iceblaze.com
 695 | iu4ever.org
 696 | rixtour.com
 697 | topdanang.com
 698 | ezxdev.org
 699 | heroinewarrior.com
 700 | grpn.ru
 701 | elchemi.com
 702 | musterihizmetleri.com
 703 | playfv.com
 704 | ####afraid4####
 705 | ccmissoula.com
 706 | blogs.or.id
 707 | e.co.za
 708 | zhilcontrol.ru
 709 | ns22.ru
 710 | qlbv.vn
 711 | prostore.ru
 712 | divakeramika.com
 713 | sweetriders.com
 714 | make.com.ar
 715 | smelly.cc
 716 | b33r.us
 717 | gerastar.ru
 718 | tvlinux.com
 719 | linux70.ru
 720 | dellsale.ru
 721 | lolk.org
 722 | priamaakcia.sk
 723 | aintno.info
 724 | jcor.ca
 725 | kein.hk
 726 | procare.co.id
 727 | tv-l.ru
 728 | diipl.com
 729 | null.rs
 730 | reason.org.nz
 731 | happyminecraft.com
 732 | plnntt.co.id
 733 | everton.com
 734 | gurcanozturk.com
 735 | jpfiles.eu
 736 | kiani.com
 737 | caturelang.co.id
 738 | pckf.com
 739 | trumgame.net
 740 | brawlcustommusic.com
 741 | dnet.hu
 742 | innograph.co.id
 743 | sith.su
 744 | naru.to
 745 | 8634.su
 746 | ivi.pl
 747 | polissya.eu
 748 | hitremixes.com
 749 | m-kopa.net
 750 | netmask.ca
 751 | warmkessel.com
 752 | hayeshelp.com
 753 | yourspecialtee.com
 754 | donkeyhot.net
 755 | 2ku.ru
 756 | gebish.org
 757 | russkoeumea.com
 758 | haki.hk
 759 | ilkor.com
 760 | mett.ru
 761 | orskkino.ru
 762 | swsc.org.np
 763 | 150watt.ru
 764 | dp76.com
 765 | gtk.cl
 766 | privateimport.jp
 767 | tedx.ee
 768 | tru.io
 769 | cc.net.br
 770 | lanas.cl
 771 | ugo.si
 772 | elitter.net
 773 | evs.net.br
 774 | jundy.org
 775 | nevskayaratusha.ru
 776 | technopagans.com
 777 | asianfreshproduce.com
 778 | hijaxdesigns.com
 779 | morganisageek.org
 780 | radiogirl.fm
 781 | e-education.hk
 782 | tn.my
 783 | colegiotorrevilano.es
 784 | olife.org
 785 | scottlewisonline.com
 786 | digitalgroupe.com
 787 | sly.io
 788 | taivas.biz
 789 | wojb.org
 790 | shoppingexpress.com.au
 791 | rltk.org
 792 | notici.as
 793 | shen.cl
 794 | solfa.org
 795 | agila.com.br
 796 | jesus.si
 797 | nlpd.net.au
 798 | tagan-rog.info
 799 | rcrcc.ca
 800 | vistnet.net
 801 | e-m-a-i-l.org
 802 | endlessmovie.com
 803 | evilrouter.com
 804 | auraria.org
 805 | ####afraid5####
 806 | ccmissoula.com
 807 | blogs.or.id
 808 | e.co.za
 809 | zhilcontrol.ru
 810 | ns22.ru
 811 | qlbv.vn
 812 | prostore.ru
 813 | divakeramika.com
 814 | sweetriders.com
 815 | make.com.ar
 816 | smelly.cc
 817 | b33r.us
 818 | gerastar.ru
 819 | tvlinux.com
 820 | linux70.ru
 821 | dellsale.ru
 822 | lolk.org
 823 | priamaakcia.sk
 824 | aintno.info
 825 | jcor.ca
 826 | kein.hk
 827 | procare.co.id
 828 | tv-l.ru
 829 | diipl.com
 830 | null.rs
 831 | reason.org.nz
 832 | happyminecraft.com
 833 | plnntt.co.id
 834 | everton.com
 835 | gurcanozturk.com
 836 | jpfiles.eu
 837 | kiani.com
 838 | caturelang.co.id
 839 | pckf.com
 840 | trumgame.net
 841 | brawlcustommusic.com
 842 | dnet.hu
 843 | innograph.co.id
 844 | sith.su
 845 | naru.to
 846 | 8634.su
 847 | ivi.pl
 848 | polissya.eu
 849 | hitremixes.com
 850 | m-kopa.net
 851 | netmask.ca
 852 | warmkessel.com
 853 | hayeshelp.com
 854 | yourspecialtee.com
 855 | donkeyhot.net
 856 | 2ku.ru
 857 | gebish.org
 858 | russkoeumea.com
 859 | haki.hk
 860 | ilkor.com
 861 | mett.ru
 862 | orskkino.ru
 863 | swsc.org.np
 864 | 150watt.ru
 865 | dp76.com
 866 | gtk.cl
 867 | privateimport.jp
 868 | tedx.ee
 869 | tru.io
 870 | cc.net.br
 871 | lanas.cl
 872 | ugo.si
 873 | elitter.net
 874 | evs.net.br
 875 | jundy.org
 876 | nevskayaratusha.ru
 877 | technopagans.com
 878 | asianfreshproduce.com
 879 | hijaxdesigns.com
 880 | morganisageek.org
 881 | radiogirl.fm
 882 | e-education.hk
 883 | tn.my
 884 | colegiotorrevilano.es
 885 | olife.org
 886 | scottlewisonline.com
 887 | digitalgroupe.com
 888 | sly.io
 889 | taivas.biz
 890 | wojb.org
 891 | shoppingexpress.com.au
 892 | rltk.org
 893 | notici.as
 894 | shen.cl
 895 | solfa.org
 896 | agila.com.br
 897 | jesus.si
 898 | nlpd.net.au
 899 | tagan-rog.info
 900 | rcrcc.ca
 901 | vistnet.net
 902 | e-m-a-i-l.org
 903 | endlessmovie.com
 904 | evilrouter.com
 905 | auraria.org
 906 | ####dtdns####
 907 | darktech.org
 908 | effers.com
 909 | 4irc.com
 910 | slyip.net
 911 | bbsindex.com
 912 | chatnook.com
 913 | b0ne.com
 914 | slyip.com
 915 | 3d-game.com
 916 | suroot.com
 917 | etowns.org
 918 | dtdns.net
 919 | gotgeeks.com
 920 | scieron.com
 921 | etowns.net
 922 | flnet.org
 923 | deaftone.com
 924 | ####changeip####
 925 | zzux.com
 926 | onmypc.info
 927 | lflinkup.org
 928 | dynamicdns.me.uk
 929 | ourhobby.com
 930 | onmypc.us
 931 | itsaol.com
 932 | instanthq.com
 933 | ns2.name
 934 | wikaba.com
 935 | ns02.biz
 936 | https443.org
 937 | 1dumb.com
 938 | https443.net
 939 | serveusers.com
 940 | jkub.com
 941 | qpoe.com
 942 | organiccrap.com
 943 | ddns.mobi
 944 | dns04.com
 945 | dynamicdns.org.uk
 946 | authorizeddns.org
 947 | ikwb.com
 948 | myftp.name
 949 | mymom.info
 950 | squirly.info
 951 | mrbasic.com
 952 | serveuser.com
 953 | epac.to
 954 | dns-dns.com
 955 | ns02.info
 956 | ocry.com
 957 | authorizeddns.net
 958 | ninth.biz
 959 | dynamicdns.biz
 960 | changeip.org
 961 | dyndns.pro
 962 | pcanywhere.net
 963 | 25u.com
 964 | mydad.info
 965 | cleansite.us
 966 | freetcp.com
 967 | rebatesrule.net
 968 | zyns.com
 969 | toythieves.com
 970 | myddns.com
 971 | got-game.org
 972 | onmypc.net
 973 | vizvaz.com
 974 | gr8domain.biz
 975 | dns05.com
 976 | lflinkup.com
 977 | dns-stuff.com
 978 | mynumber.org
 979 | ddns.info
 980 | dsmtp.com
 981 | mynetav.net
 982 | proxydns.com
 983 | mrface.com
 984 | jungleheart.com
 985 | mypop3.org
 986 | ftp1.biz
 987 | 4pu.com
 988 | myz.info
 989 | 4mydomain.com
 990 | mynetav.org
 991 | mrbonus.com
 992 | trickip.org
 993 | trickip.net
 994 | dns1.us
 995 | mysecondarydns.com
 996 | xxxy.biz
 997 | ftpserver.biz
 998 | dhcp.biz
 999 | dnset.com
1000 | freeddns.com
1001 | sendsmtp.com
1002 | mefound.com
1003 | port25.biz
1004 | americanunfinished.com
1005 | 4dq.com
1006 | dynamicdns.co.uk
1007 | faqserv.com
1008 | changeip.name
1009 | yourtrap.com
1010 | compress.to
1011 | jetos.com
1012 | changeip.net
1013 | esmtp.biz
1014 | xxxy.info
1015 | justdied.com
1016 | ddns.ms
1017 | dynssl.com
1018 | dns2.us
1019 | ns01.info
1020 | cleansite.biz
1021 | sixth.biz
1022 | ezua.com
1023 | gr8name.biz
1024 | gettrials.com
1025 | ns01.us
1026 | myftp.info
1027 | 3-a.net
1028 | wha.la
1029 | itemdb.com
1030 | isasecret.com
1031 | 2waky.com
1032 | ns1.name
1033 | sellclassics.com
1034 | qhigh.com
1035 | onmypc.biz
1036 | sexidude.com
1037 | otzo.com
1038 | my03.com
1039 | edns.biz
1040 | authorizeddns.us
1041 | lflink.com
1042 | mywww.biz
1043 | ns01.biz
1044 | fartit.com
1045 | longmusic.com
1046 | acmetoy.com
1047 | ssl443.org
1048 | x24hr.com
1049 | ddns.us
1050 | mypop3.net
1051 | ns02.us
1052 | cleansite.info
1053 | www1.biz
1054 | xxuz.com
1055 | iownyour.org
1056 | toh.info
1057 | bigmoney.biz
1058 | onmypc.org
1059 | mrslove.com
1060 | moneyhome.biz
1061 | ddns.name
1062 | ns3.name
1063 | freewww.biz
1064 | mypicture.info
1065 | ddns.me.uk
1066 | freewww.info
1067 | dumb1.com
1068 | dnsrd.com
1069 | iownyour.biz
1070 | youdontcare.com
1071 | lflinkup.net
1072 | onedumb.com
1073 | wwwhost.biz
1074 | almostmy.com
1075 | mylftv.com
1076 | sexxxy.biz
1077 | ygto.com
1078 | ####dynu####
1079 | dynu.com
1080 | dynu.net
1081 | ####3322.org####
1082 | 6600.org
1083 | 7766.org
1084 | 8800.org
1085 | webok.net
1086 | 2288.org
1087 | 9966.org
1088 | 8866.org
1089 | 3322.org
1090 | f3322.net
1091 | eatuo.com
1092 | x3322.org
1093 | ####Freenom####
1094 | co.vu
1095 | gq
1096 | ml
1097 | cf
1098 | tk
1099 | ga
1100 | ####uni.me####
1101 | oapg.org
1102 | uni.me
1103 | cnc-cs.com
1104 | hyd.me
1105 | co7.us
1106 | ####duckdns####
1107 | duckdns.org
1108 | ####spdns####
1109 | spdns.eu
1110 | firewall-gateway.de
1111 | firewall-gateway.com
1112 | myfirewall.org
1113 | my-router.de
1114 | my-firewall.org
1115 | my-gateway.de
1116 | spdns.org
1117 | ####dnsalias####
1118 | dnsip.ru
1119 | dns-free.com
1120 | dnsalias.ru
1121 | dyn-dns.ru
1122 | ####firesale gTLD####
1123 | mom
1124 | stream
1125 | win
1126 | loan
1127 | site
1128 | trade
1129 | date
1130 | vip
1131 | gb
1132 | download
1133 | click
1134 | gdn
1135 | blue
1136 | voyage
1137 | pw
1138 | space
1139 | top
1140 | lol
1141 | accountant
1142 | maison
1143 | ren
1144 | online
1145 | party
1146 | racing
1147 | pro
1148 | red
1149 | website
1150 | pink
1151 | cricket
1152 | webcam
1153 | club
1154 | bid
1155 | men
1156 | host
1157 | link
1158 | desi
1159 | kim
1160 | review
1161 | press
1162 | faith
1163 | mobi
1164 | country
1165 | xyz
1166 | tech
1167 | science
1168 | boutique


--------------------------------------------------------------------------------