Parser to detect Buffer overflow attempts or NOP SLEDS?
i was wondering if anyone has previously worked on a parser to detect consecutive 0x40's, 0x41's, 0x42's ,.. or 0x90's before?
I have not written a parser before and i plan on making this one my first however, i wanted to touch base with the usergroup and see if anyone else has worked on something like this.
Thanks in advance.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
You're going to end up with a bunch of tokens. But otherwise, parsers don't get much more simple than this
<token name="bytes" value="@@@@@@@@@@"/>
<token name="bytes" value=""/>
<meta name="meta_alert" key="alert" format="text"/>
<register name="meta_alert" value="possible buffer overflow attempt"/>
Add more tokens as desired. They can all be named "bytes" and thus all execute the same match statement even though they have different values if you want them all to register the same alert text (like in the above). If you want different alert text (say one for "possible buffer overflow" and another for "possible nop sled") you'll have to use different token names and match statements.
Add more bytes per token as desired. But note that if 20 0x90 are in the payload, a token consisting of 10 0x90 will still match (multiple times actually).
You can use the same basic outline / logic for any signature-type parser (see pattern -> register alert).