PEiD Snort Signature Update
Even though I have already created a better way for detecting binary packers on the network with npeid, and extracting them from pcaps, there are still many IDS rules that will look for popular binary packers. My previous script was flawed as were my rules. I have created a new python script called snortRand.py which generates the content for a signature and calculates the distance and within.
Example:
famousjs@youbantoo:~/peid2snort$ ./snortRand.py "60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB"
content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB|"; distance: 4; within: 55;
This makes generating bulk rules that have random bytes easily scriptable. I have generated a new rules file with working snort rules for binary packers located here
I would not suggest implementing the entire ruleset in to any snort IDS system. It is more of a database for anyone looking for a specific binary packer snort signature.
famousjs@youbantoo:~/npeid$ sudo snort -c /etc/snort/snort.conf -k None -q -A console -r out.pcap
05/19-00:21:13.685461 [**] [1:2009001296:1] [UPX 290 [LZMA] - Markus Oberhumer Laszlo Molnar John Reiser] [**] [Priority: 0] {TCP} 72.167.232.144:80 -> 10.1.99.122:54077
*flowdepth is required to be set at 0 in snort.conf