From 6de054a0d8615deacb3c1d4090c0c7da486c374a Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Wed, 22 Nov 2023 12:38:13 +0800 Subject: [PATCH 1/6] Add initial detection rule Signed-off-by: Still Hsu --- .../hp-socket/linked-against-hp-socket.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 linking/static/hp-socket/linked-against-hp-socket.yml diff --git a/linking/static/hp-socket/linked-against-hp-socket.yml b/linking/static/hp-socket/linked-against-hp-socket.yml new file mode 100644 index 000000000..72cbc4f4b --- /dev/null +++ b/linking/static/hp-socket/linked-against-hp-socket.yml @@ -0,0 +1,30 @@ +rule: + meta: + name: linked against High-Performance Socket (hp-socket) + namespace: linking/static/hp-socket + authors: + - still@teamt5.org + scope: file + att&ck: + - Command and Control::Non-Application Layer Protocol [T1095] + references: + - https://github.com/ldcsaa/HP-Socket/ + examples: + - ac204bc653d6e49eea093b01ba3eaa60 + features: + - or: + - substring: "HP-Socket for Linux v%d.%d.%d [BN:%02d]" + - 3 or more: + - substring: "global/helper.cpp" + - substring: "src/HttpServer.cpp" + - substring: "src/TcpServer.cpp" + - substring: "src/common/IODispatcher.cpp" + - substring: "src/common/Thread.cpp" + - substring: "/HP-Socket/Linux/" + # in theory the following should be present for Windows version; untested + - 3 or more: + - substring: "Client Send Fail [SOCK: %d, SEQ: %d]" + - substring: "(%Iu) Send OK -->" + - substring: "<%s#%d> OP: %d, CODE: %d (DATA: 0x%X, LEN: %d>" + - substring: "---------------> Client Worker Thread 0x%08X stoped <---------------" + - substring: " OnSend() event should not return 'HR_ERROR' !!" From 8cca6df2f6007f9d8ebc4bc7d7072e19eb446045 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Wed, 22 Nov 2023 12:44:34 +0800 Subject: [PATCH 2/6] Rename rule to make linter happy Signed-off-by: Still Hsu --- linking/static/hp-socket/linked-against-hp-socket.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linking/static/hp-socket/linked-against-hp-socket.yml b/linking/static/hp-socket/linked-against-hp-socket.yml index 72cbc4f4b..f34a75625 100644 --- a/linking/static/hp-socket/linked-against-hp-socket.yml +++ b/linking/static/hp-socket/linked-against-hp-socket.yml @@ -1,6 +1,6 @@ rule: meta: - name: linked against High-Performance Socket (hp-socket) + name: linked against hp-socket namespace: linking/static/hp-socket authors: - still@teamt5.org From 11afc4a509ee9117d81f5b785797927b0159e034 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Thu, 23 Nov 2023 01:02:50 +0800 Subject: [PATCH 3/6] Replace test data with official demo Signed-off-by: Still Hsu --- linking/static/hp-socket/linked-against-hp-socket.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linking/static/hp-socket/linked-against-hp-socket.yml b/linking/static/hp-socket/linked-against-hp-socket.yml index f34a75625..78366bcb6 100644 --- a/linking/static/hp-socket/linked-against-hp-socket.yml +++ b/linking/static/hp-socket/linked-against-hp-socket.yml @@ -10,7 +10,7 @@ rule: references: - https://github.com/ldcsaa/HP-Socket/ examples: - - ac204bc653d6e49eea093b01ba3eaa60 + - dd597670a613c5435839e7f249dac0ad features: - or: - substring: "HP-Socket for Linux v%d.%d.%d [BN:%02d]" From 2fe9cdb8a4aa4874b627dfb213cc33286a94bbf3 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Thu, 23 Nov 2023 01:11:04 +0800 Subject: [PATCH 4/6] Replace sample hash with known working one Signed-off-by: Still Hsu --- linking/static/hp-socket/linked-against-hp-socket.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linking/static/hp-socket/linked-against-hp-socket.yml b/linking/static/hp-socket/linked-against-hp-socket.yml index 78366bcb6..6f7daf034 100644 --- a/linking/static/hp-socket/linked-against-hp-socket.yml +++ b/linking/static/hp-socket/linked-against-hp-socket.yml @@ -10,7 +10,7 @@ rule: references: - https://github.com/ldcsaa/HP-Socket/ examples: - - dd597670a613c5435839e7f249dac0ad + - 4c46fdafceba8e450deb93cdb82a177e features: - or: - substring: "HP-Socket for Linux v%d.%d.%d [BN:%02d]" From baf08103cfcfa0947b3e5b19b2c5c1109699b3f6 Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Thu, 14 Dec 2023 15:36:19 +0800 Subject: [PATCH 5/6] Update linking/static/hp-socket/linked-against-hp-socket.yml Co-authored-by: Yacine <16624109+yelhamer@users.noreply.github.com> --- linking/static/hp-socket/linked-against-hp-socket.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linking/static/hp-socket/linked-against-hp-socket.yml b/linking/static/hp-socket/linked-against-hp-socket.yml index 6f7daf034..6dc9de80f 100644 --- a/linking/static/hp-socket/linked-against-hp-socket.yml +++ b/linking/static/hp-socket/linked-against-hp-socket.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/hp-socket authors: - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file att&ck: - Command and Control::Non-Application Layer Protocol [T1095] references: From 2cb401327a26d92f7326cee0b99fd67d774fa6d4 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Tue, 23 Jan 2024 15:10:15 +0800 Subject: [PATCH 6/6] Move rule to nursery Signed-off-by: Still Hsu --- .../static/hp-socket => nursery}/linked-against-hp-socket.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {linking/static/hp-socket => nursery}/linked-against-hp-socket.yml (100%) diff --git a/linking/static/hp-socket/linked-against-hp-socket.yml b/nursery/linked-against-hp-socket.yml similarity index 100% rename from linking/static/hp-socket/linked-against-hp-socket.yml rename to nursery/linked-against-hp-socket.yml