Hey Noah,
Thanks for sharing the new sample! I took a look at this and see what you mean regarding the missing spaces. Just for reference, this is the detonation I’m looking at Tria.ge Analysis
Do you mind sharing your http signature and pcap you are testing with? With this run from Tria.ge I was able to get a rule working using the URI/Method Buffers. I noticed that on your previous post it looks like your signature was formatted for Suricata 4 which may be an issue depending on how you are testing.
Suricata 4/5 use buffers in a slightly different ways. Suri 4 uses content modifiers that look back in the rule. For example, this signature uses the http_uri content modifier format to match “index.php” in the uri.
alert http any any -> any any (content:"index.php"; http_uri; sid:1;)
Suricata 5 uses sticky buffers which places the buffer name first, and all keywords following it apply to that buffer. This is that same rule written using the http.uri sticky buffer:
alert http any any -> any any (http.uri; content:"index.php"; sid:1;)
One thing to note that when using sticky buffers, a lot of the underscores _
have been replaced with periods .
for example:
http_uri
has become http.uri
The Suricata documentation has a helpful table which correlates the legacy buffers with their sticky buffer equivalents.
Here is your signature in the sticky buffers and content modifiers format.
Suricata 5 using sticky buffers:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Dapato password stealer"; http.method; content:"POST"; http.uri; content:"/info/step"; http.request_body; content:"info="; sid:1; rev:1;)
Suricata 4 using content modifiers:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Dapato password stealer"; content:"POST"; http_method; content:"/info/step"; http_uri; content:"info="; http_client_body; sid:1; rev:1;)
Sticky buffers can be hard to get the hang of, especially if you’ve worked with older versions of Suricata or Snort!
Edited to add:
Brandon Murphy on our team has great writeup on this malware which is worth checking out. The malware is also known as CopperStealer. Here’s a link https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft