Community Contribution to ChopShop

August 21, 2013
CND Tools: Post by Wesley Shields

One of our goals in developing ChopShop is to make it easy for developers to write decoders and to share them within their own communities. This enables users and developers like you, to share your decoders and incorporate the work of others as you see fit. To that end, we are working with developers who want to use ChopShop and contribute modules back to the public repository. Today we are pleased to let you know that FireEye is contributing a new module to decode traffic from the Poison Ivy malware.

A little backstory: FireEye recently approached our ChopShop development team to discuss a new module for Poison Ivy that they had been working on. We helped them tie-up some loose ends with the module and provided some samples to use in testing the module. The result is a robust Poison Ivy decoder that is now available in the ChopShop repository, thanks to FireEye. If you'd like to read more about the technical side of how Poison Ivy or the decoder work, head over to the FireEye blog (or you can read the code yourself).

I would like to encourage other organizations utilizing ChopShop who wish to contribute to the wider community to contact me. We not only can help you understand the ins-and-outs of module writing but also may have technical insights into the protocol you are working with.

With so many threats out there, we don't believe that every organization has the resources or insights to effectively combat them all. By working together and collaborating across organizations and sectors, we can help organizations increase their capabilities to detect and understand malicious traffic. We look forward to more organizations writing ChopShop modules and sharing them back to the repository.