Web traffic detection and bypass
Snort
I have described in the previous blog, how to configure Snort+mysql under windows xp, and the rest of the windows system is not bad.
The main content of this chapter is the learning and writing of Snort rules, so that we can detect many Trojans through Snort.
Snort overview
Snort is a translator.
He doesn't speak English himself (capture packets), but only translates what he hears (packages captured from libpcap) into Chinese (after analysis, show us).
Snort version 2.9 and above can translate more languages into Chinese (support more frameworks for capturing packets).
Snort rule learning
If you can translate, for example, one corresponds to one, and handsome boy corresponds to Daruida ( beautiful Chinese ), so you must speak Chinese according to certain rules.
Snort displays the parsed package according to certain rules.
Such as msg: information and so on.
Some rules are as follows
| first name | content |
|---|---|
| msg | Information displayed |
| reference | Reference website for this rule |
| sid | Number of the rule (keyword) |
| rev | Rule version |
| content | content |
| offset | content start offset |
| depth | content end offset |
| distance | The start offset of the next content |
| nocase | Case insensitive |
| raw_bytes | Further analyze the unparsed data of the data packet |
| isdataat | Whether there is data at a certain offset (if any, it should be the payload) |
| flow | What will the data stream do (will do tcp and the like) |
| Vertical line 0A vertical line | Escape character representing 0A |
I won’t enumerate in detail any more, please refer to the official documents for specific rules.
Snort rule writing
Learning rule processing, we can write, write a rule Kangkang:
alert udp any any -> any any (msg:"lvguang_trojan1"; content:"retkey"; sid:1000001)
This means:
alarm: it is a udp package, the content of the package contains retkey, because it encountered a green light Trojan horse.
It's this Trojan horse glowing with green light.
Flow characteristic processing
So, we know Snort's traffic detection, how to eliminate these characteristics:
Eliminate flow characteristics
1. Encode (encrypt) the data packet, decode the data packet (decrypt) in the Web Trojan, and then execute it.
2. The web Trojan first visits a normal website to obtain normal data, which is interpreted as remote execution commands. (Also encrypted)
3. Wait and so on... The author has limited abilities, welcome to add.
Whether the detection feature is eliminated
Intercept the traffic and save it as a pcap packet, and then use Snort to detect whether the pcap packet will alarm.
Actual combat
The actual combat of Trojan bypassing detection will not be included here. If you are interested, you can talk to me, often online