Didier Stevens

Friday 26 June 2015

Update: oledump.py Version 0.0.17 – ExitCode

Filed under: My Software,Update — Didier Stevens @ 9:44

Here is a new version of oledump with a couple of bugfixes and a new feature: ExitCode.

The ExitCode of the Python program running oledump.py is 0, except if the analyzed file contains macros, then it is 1. You can’t use options if you want the ExitCode.

Thanks Philippe for the idea.

oledump_V0_0_17.zip (https)
MD5: 5AF76C638AA300F6703C6913F80C061F
SHA256: A04DDE83621770BCD96D622C7B57C424E109949FD5EE2523987F30A34FD319E1

Tuesday 16 June 2015

Metasploit Meterpreter Reverse HTTPS Snort Rule

Filed under: Networking — Didier Stevens @ 22:00

Emerging Threats and Snort released my Snort rule to detect Metasploit Meterpreter Reverse HTTPS traffic.

More details about the rule in an upcoming blogpost.

Tuesday 9 June 2015


Filed under: My Software,Networking — Didier Stevens @ 0:00

pcap-rename.py is a program to rename pcap files with a timestamp of the first packet in the pcap file.

The first argument is a template of the new filename. Use %% as a placeholder for the timestamp. Don’t forget the .pcap extension.

The next arguments are the pcap files to be renamed.
You can provide one or more pcap files, use wildcards (*.pcap) and use @file.
@file: file is a text file containing filenames. Each file listed in the text file is processed.

Example to rename pcap files:
pcap-rename.py server-%%.pcap *.pcap

Renamed: capture1.pcap -> server-20140416-184037-926493.pcap
Renamed: capture2.pcap -> server-20140417-114252-700036.pcap
Renamed: capture3.pcap -> server-20140419-052202-911011.pcap
Renamed: capture4.pcap -> server-20140424-065625-868672.pcap

Use option -n to view the result without actually renaming the pcap files.

This program does not support .pcapng files (yet).

pcap-rename_V0_0_1.zip (https)
MD5: 5F844411E178909970BC21349A629438
SHA256: AB706DB3470A915A3031EC248B8DAF83C08F42DBF6AC2EACB1A2DB2493B0AEEE

Thursday 4 June 2015

Regular Expressions With Comments

Filed under: My Software — Didier Stevens @ 20:01

Many flavors of regular expressions support comments now. You can make your regular expression a bit more readable by adding comments. Like in programming languages, where a comment does not change the behavior of the program, a regular expression comment does not change the behavior of the regular expression.

A regular expression comment is written like this: (?#comment) where comment can be any text, as long it is not ).

Here is an example of a regular expression for a simple email address: [A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,6}

And here is the same regular expression with a comment (bold): [A-Z0-9._%+-]+@(?#domain)[A-Z0-9.-]+\.[A-Z]{2,6}

Why am I posting this? Because I’m using this in my new Snort rules I’m blogging about soon.

Blog at WordPress.com.