Rule2Alert's goal, is to read in snort rules and generate packets that would make snort produce an alert. It is written entirely in python and utilizes Scapy to craft the packets. It is still under heavy development with myself, Pablo Rincon, and Will Metcalf.
Currently, it is able to generate pcaps based off simple content snort compatible rules. I loaded in the emerging-all.rules file and was able to create a pcap that alerted snort 514 times. The project is not ready to be released yet, but the results look promising so far. This project is currently under the Open Information Security Foundation, as all of the project members are currently working on the new IDS/IPS system Suricata.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)
famousjs@youbantoo:~/rule2alert$ sudo python r2a.py -vt -c /etc/snort/snort.conf -f rules/test.rule -w test.pcap
Ether / IP / TCP 192.168.0.1:9001 > 220.127.116.11:www S
Ether / IP / TCP 18.104.22.168:www > 192.168.0.1:9001 SA
Ether / IP / TCP 192.168.0.1:9001 > 22.214.171.124:www A
Ether / IP / TCP 192.168.0.1:9001 > 126.96.36.199:www PA / Raw
-------- Hex Payload Start ----------
56 24 5a 63 20 20 20 20
20 68 65 79
--------- Hex Payload End -----------
Loaded 1 rules successfully!
Writing packets to pcap...
Successfully alerted on all loaded rules
To step away from using snort as a base for detecting binary packers, I decided to go with a more direct approach and use a library that handled stream reassembly within python. I then simply took the data once the connection had closed, and scanned the data with PeFile. The python script, which I call nPeID (network peid), can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).
This is actually my first analysis of malware so the paper I wrote up may not be as in depth as some may wish. I cover the two files that the variant creates on the windows system, and provide packet capture analysis. I plan on diving deeper into research with a few peers from Rochester Institute of Technology, including SPARSA (Security Practices and Research Student Association).
This paper briefly details the analysis of W32/StormWorm.gen1. Analysis includes the two files created by the variant and a look into the contents of those files. A quick overview of the network traffic generated by the worm is displayed and the data exchanged between the peers who are connected to the Overnet P2P network. Towards the end of the paper, extended research discusses the disassembly of the variant and where the process injection is found within the assembly code.
I will eventually post more analysis here once I can find the time.