Created
December 5, 2019 14:41
-
-
Save stvemillertime/11d431d244a67c31f4b50e648dd0d9f8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Methodology_AscensionEngine_KCP_Strings | |
{ | |
meta: | |
author = "smiller" | |
date = "2/5/2019" | |
description = "This is a wide catchall rule looking for executables with equities for a transport library called KCP. Matches on this rule may have built-in KCP transport ability." | |
md5 = "6f8bdd64736075303b9082bbfcc95cfe" | |
strings: | |
$a01 = "[RO] %ld bytes" | |
$a02 = "recv sn=%lu" | |
$a03 = "[RI] %d bytes" | |
$a04 = "input ack: sn=%lu rtt=%ld rto=%ld" | |
$a05 = "input psh: sn=%lu ts=%lu" | |
$a06 = "input probe" | |
$a07 = "input wins: %lu" | |
$a08 = "rcv_nxt=%lu\n" | |
$a09 = "snd(buf=%d, queue=%d)\n" | |
$a10 = "rcv(buf=%d, queue=%d)\n" | |
$a11 = "rcvbuf" | |
condition: | |
((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and 3 of ($a*) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment