CREATING CUSTOM SURICATA SIGNATURES

Hello friends, In this blog post we will discuss writing custom rules on Suricata. In previous Post, we talked about Snort and its keywords. If you haven’t read yet, before starting please look after snort rules and keywords from my previous blogpost.

Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;

Suricata provides the security professional, better attack visibility over a network, collecting network traffic as pcap files and proactive therat hunting. In incident response cases, logs and pcap files are vital. We use Suricata for increasing our cyber attack inspection capabilities. One of the most important futures Suricata is ability of Multi Thread Working ability. When we compare Suricata and Snort, Whereas Snort runs as single thread Suricata able to run multi thread moreover, in Snort we write rules over just TCP and UDP, In Suricata we can define the protocols such as HTTP, DNS, FTP, etc… We use Suricate for responding incidents timely and effectively. Suricata has a lot of useful capabilities and futures like Deep Packet Inspection, Instrusion Detection, Intrusion Prevention, Packet Capture and logging, Network Security Monitoring, Anomaly Detection, Multitenancay, Lua script applicable, GeoIP, Multitenancy, IP Reputation, Multi Threading. First install Suricata to Ubuntu 18.04. You can follow instruction for installing Suricata from the link is given below;

After installation process is completed let’s have a look after configuration files. First file is “suricata.yaml” file, it is created for configuration file. You can set Network variables and rule paths by using this file. File path is /etc/suricata/suricata.yaml For configuring Network variables let’s open file with vim -> vim /etc/suricata/suricata.yaml

You can set HOME_NET and EXTERNAL_NET variables with the appropriate Network addresses moreover port assignment can be implemented for knwon services. We need to set rule path for mapping Suricata rules location. For this purpose, we configure default-rule-path like shown below;

If you go to browse rule path you can see the rules, you also add new rules under this directory and create like local.rules file for writing custom Suricata rules.

We have already cleared installation and configuration process. Our next step is understanding Suricata Rules and developing some custom signatures. First examine the structure of a signature on Suricata;

Action:

A rule structure includes Action, Header, Rule Options and metadata parts. Action defines what if match is occured. Alert Generate alerts when rule is triggered and match the pattern but this action lets the traffic pass. Log action logs the traffic without alerting. Pass action lets the traffic flow. If Suricata is set as IPS mode, when signuture match a traffic pattern, packet is dropped if the action is drop. Reject action is kindly reject packet with RST packet.

Header:

Header contains protocol, IP, port and direction. Look at the example is given above from home network any port to External network any port will be inspected. It is used for specify IP, Port Network values and setting rule direcrtion such as Outbound, inbound and biodirectional traffic.

Rule Options:

If you remember in previous post while talking about Snort Rules, we use some rule options like content, offset, depth and distance, content, within. In addtion to this, we use nocase, isdataat relative, fast_pattern options.

Ok here we go, Lets write some Suricata rules and generate some malicious traffic for testing them. I downloaded some pcap files from pcapanalysis. You can download too…

https://www.pcapanalysis.com

First I investigate some phishing incidents and I will write custom signatures in local.rules file which is created by me before. Paypal phishing activity investigation and pcap analysis is show below, At Wireshark I perform pcap analysis If you look at the traffic you can see phishing attack from HTTP and DNS queries;

Ok! It is time to write Suricata signature for this incident. We need to find and handle necassery patterns from the payload;

From the hex patent, we use isdataat keyword, because of real paypal domain can not be include any value after paypal.com in buffer as a domain name. isdataat, relative keyword checks if any vaule exist in buffer after paypal.com. Just like in this example malicious domain contains www.paypal.com4uswebappsresetaccountrecovery....

Our first signature is written like shown below;

For testing our rule lets replay traffic with a pcap file and retriew the log files;

As you see we can successfully generate our alert;

At the second example we will write a custom signature for a ransomware. First I analyzed pcap file for catching some specific pattern;

As you see we will use http_uri patterns for detecting the ransomware activity over network. I created a rule like shown below and I will explain it for you;

In this rule we specified the method with http_method we seacrh GET in content of payload. After that we spesified that our folw direction which is directed from client to server then we search .php?SSTART string in http uri and we spesified that with http_uri parameter from previous match ( .php?SSTART=) we define a distance which notice to the Suricata haw far it searches new pattern, our new pattern is &CRYPTED_DATA if it’s detected, from detection point far from distance ( distance is 0 so search start from just from previous match) new pattern search starts for &UI in URI. Under normal conditions User Agent can’t be “Internet Explorer” solely it must be include more information so it’s not a valid user agent. I used isadataat keyword for controlling useragent wheather it just contains “Internet Explorer” and after that nothing. I found another packet for searching new indications;

I used the same way for writing custom rule for this ransomware;

Lets run Suricata and observe the logs;

Following example is implemented for wirenet trojan which uses dynamic dns. First I detected the malicious binary download link and observe the uripath;

After that I examined the DNS records. Dynamic dns is used by the malware;

Lets create Suricata rules for detecting tha malicious activities;

Now we can replay the malicious traffic for detecting the trojan activity or any dynamic DNS queries which is sended ddns.net.

In the following example lets detect the icmp tunneling. We can search some cmd commands at payload or we use dsize for controlling packet sizes. In the first step lets analyze the traffic;

As you see our pattern is ready for writing a signature;

When we replay the traffic Surcata generate alerts by using our custom rules successfully.

In the last example, create a simple rule for detecting SSH tunnel in a network. First analyze the packet for searching a good pattern for our rule;

This is classical SSH tunnel from client to command and control. If we checked Open-SSH keyword in traffic flow which is orginated from client to outbound traffic through 80, 443 and 53 ports we can create a custom rule about it.

When we observe the logs we can see the SSH tunnel. It’s very useful and simple way.

You can also examine and study over other suricata rules which are installed default. For example emerging exploit rules are shown the below. It facilitates your learning process.

Thank you for reading. See you new blog posts:)