In Snort 3.6.2.0, the team has added new modifiers for the "content” option to simplify detection against multi-byte character strings.
For content matches, “width” and “endian” options allow users to modify the content to match against simple wide character strings without manually adding null bytes into the patterns. This makes rule writing easier and more maintainable against targets that use multi-byte character strings, as is common in file metadata or modern string encodings.
Width allows a simple expansion of the content from 8-bit character width to a specified width of 8, 16, or 32 bits. Note that 8 bits is the default behavior and does not impact detected content.
# Match "hello" encoded with 32 bits per character in big endian
content:"|000000|h|000000|e|000000|l|000000|l|000000|o";
content:"hello", width 32;
Endian further modifies the width option’s expansion to control the endianness of the expanded character with “big” (as the default) and “little” options. Combining these two options, we can easily flex our detection patterns to match on a variety of string encodings. For example, content: “Talos”, width 32, endian little; would detect on “Talos” encoded as a UTF-32-LE string.
# Match "Talos" encoded with 32 bits per character in little endian content:"T|000000|a|000000|l|000000|o|000000|s|000000|";
content:"Talos",width 32,endian little;
To showcase how the width and endian modifiers can make rules more maintainable, consider the existing malware detection in Snort SID 55927. This rule detects several highly suspect strings within a target binary; however, these strings are UTF-16-LE encoded. Here is the simplified rule in old content syntax with null bytes manually added:
alert file (
msg:"MALWARE-CNC Win.Dropper.LemonDuck variant script download attempt";
file_data;
content:"|00|%|00|u|00|s|00|e|00|r|00|n|00|a|00|m|00|e|00|%|00||00|%|00|c|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00|n|00|a|00|m|00|e|00|%|00|*|00|",fast_pattern,nocase;
content:"W|00|S|00|c|00|r|00|i|00|p|00|t|00|.|00|S|00|h|00|e|00|l|00|l|00|",nocase;
content:"D|00|o|00|w|00|n|00|L|00|o|00|a|00|d|00|S|00|t|00|r|00|i|00|n|00|g|00|",nocase;
)
Here is an example of the new syntax, which makes the rule much easier to follow:
alert file (
msg:"MALWARE-CNC Win.Dropper.LemonDuck variant script download attempt";
file_data;
content:"%username%%computername%*", fast_pattern, nocase, width 16, endian little;
content:"WScript.Shell", nocase, width 16, endian little;
content:"DownLoadString", nocase, width 16, endian little;
)
As we can see, if the new rule were to have hits in our environment, we would be able to understand what the rule is alerting to much faster than the original syntax. ClamAV and Yara users will likely be familiar with this usage because the combination of “endian little” and “width 16” is functionally identical to the languages’ wide modifiers.
These new features are available in Snort 3.6.2.0 and later. More documentation on these options is available in the Snort 3 Rule Writing Guide.
If you have any questions, feel free to reach out to us via: snort-users@lists.snort.org or join our Snort Discord.